forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
61 changes: 61 additions & 0 deletions
61
documentation/modules/auxiliary/gather/prometheus_api_gather.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| This module utilizes Prometheus' API calls to gather information about | ||
| the server's configuration, and targets. Fields which may contain | ||
| credentials, or credential file names are then pulled out and printed. | ||
|
|
||
| Targets may have a wealth of information, this module will print the following | ||
| values when found: | ||
| `__meta_gce_metadata_ssh_keys`, `__meta_gce_metadata_startup_script`, | ||
| `__meta_gce_metadata_kube_env`, `kubernetes_sd_configs`, | ||
| `_meta_kubernetes_pod_annotation_kubectl_kubernetes_io_last_applied_configuration`, | ||
| `__meta_ec2_tag_CreatedBy`, `__meta_ec2_tag_OwnedBy` | ||
|
|
||
| Shodan search: `"http.favicon.hash:-1399433489"` | ||
|
|
||
| A docker image is [available](https://hub.docker.com/r/prom/prometheus) however | ||
| this basic configuration has almost no interest data. Configuring it can be tricky | ||
| as it may not start w/o being able to contact the contacted services. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Install the application or find one on the Internet | ||
| 1. Start msfconsole | ||
| 1. Do: `use auxiliary/gather/prometheus_api_gather` | ||
| 1. Do: `set rhosts [ip]` | ||
| 1. Do: `run` | ||
| 1. You should get any valuable information | ||
|
|
||
| ## Options | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### Prometheus 2.39.1 | ||
|
|
||
| ``` | ||
| msf6 auxiliary(gather/prometheus_api_gather) > set rhosts 11.111.11.111 | ||
| rhosts => 11.111.11.111 | ||
| msf6 auxiliary(gather/prometheus_api_gather) > set rport 80 | ||
| rport => 80 | ||
| msf6 auxiliary(gather/prometheus_api_gather) > run | ||
| [*] Running module against 11.111.11.111 | ||
| [*] 11.111.11.111:80 - Checking build info | ||
| [+] Prometheus found, version: 2.39.1 | ||
| [*] 11.111.11.111:80 - Checking status config | ||
| [+] YAML config saved to /root/.msf4/loot/20230815174315_default_11.111.11.111_PrometheusYAML_982929.yaml | ||
| [+] Credentials | ||
| =========== | ||
| Name Config Host Port Public/Username Private/Password/Token Notes | ||
| ---- ------ ---- ---- --------------- ---------------------- ----- | ||
| kubernetes-apiservers authorization Bearer /var/run/secrets/kubernetes.io/serviceaccount/token | ||
| kubernetes-nodes authorization Bearer /var/run/secrets/kubernetes.io/serviceaccount/token | ||
| kubernetes-nodes-cadvisor authorization Bearer /var/run/secrets/kubernetes.io/serviceaccount/token | ||
| [*] 11.111.11.111:80 - Checking targets | ||
| [+] JSON targets saved to /root/.msf4/loot/20230815174315_default_11.111.11.111_PrometheusJSON_145604.json | ||
| [*] 11.111.11.111:80 - Checking status flags | ||
| [+] Config file: /etc/config/prometheus.yml | ||
| [*] Auxiliary module execution completed | ||
| ``` |
50 changes: 50 additions & 0 deletions
50
documentation/modules/auxiliary/gather/prometheus_node_exporter_gather.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| Instructions to get the vulnerable application. If applicable, include links to the vulnerable install | ||
| files, as well as instructions on installing/configuring the environment if it is different than a | ||
| standard install. Much of this will come from the PR, and can be copy/pasted. | ||
|
|
||
| ### Install | ||
|
|
||
| docker run -d --net="host" --pid="host" -v "/:/host:ro,rslave" quay.io/prometheus/node-exporter:latest --path.rootfs=/host | ||
|
|
||
| ./node_exporter --collector.buddyinfo --collector.cgroups --collector.drm --collector.drbd --collector.ethtool --collecto | ||
| r.interrupts --collector.ksmd --collector.lnstat --collector.logind --collector.meminfo_numa --collector.mountstats --collector.network_route --collector.perf --collector.proce | ||
| sses --collector.qdisc --collector.slabinfo --collector.softirqs --collector.sysctl --collector.systemd --collector.tcpstat --collector.wifi --collector.zoneinfo | ||
|
|
||
| windows --collectors.enabled ad,adcs,adfs,cache,cpu,cpu_info,cs,container,dfsr,dhcp,dns,exchange,fsrmquota,hyperv,iis,logical_disk,logon,memory,mscluster_cluster,mscluster_network,mscluster_node,mscluster_resource,mscluster_resourcegroup,msmq,mssql,netframework_clrexceptions,netframework_clrinterop,netframework_clrjit,netframework_clrloading,netframework_clrlocksandthreads,netframework_clrmemory,netframework_clrremoting,netframework_clrsecurity,net,os,process,remote_fx,scheduled_task,service,smtp,system,tcp,teradici_pcoip,time,thermalzone,terminal_services,textfile,vmware_blast,vmware | ||
|
|
||
| ## Verification Steps | ||
| Example steps in this format (is also in the PR): | ||
|
|
||
| 1. Install the application | ||
| 1. Start msfconsole | ||
| 1. Do: `use [module path]` | ||
| 1. Do: `run` | ||
| 1. You should get a shell. | ||
|
|
||
| ## Options | ||
| List each option and how to use it. | ||
|
|
||
| ### Option Name | ||
|
|
||
| Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here. | ||
|
|
||
| ## Scenarios | ||
| Specific demo of using the module that might be useful in a real world scenario. | ||
|
|
||
| ### Version and OS | ||
|
|
||
| ``` | ||
| code or console output | ||
| ``` | ||
|
|
||
| For example: | ||
|
|
||
| To do this specific thing, here's how you do it: | ||
|
|
||
| ``` | ||
| msf > use module_name | ||
| msf auxiliary(module_name) > set POWERLEVEL >9000 | ||
| msf auxiliary(module_name) > exploit | ||
| ``` |