Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for HTTP POST and Basic Auth to psnuffle #10315

Merged
merged 1 commit into from
Jul 17, 2018
Merged

Add support for HTTP POST and Basic Auth to psnuffle #10315

merged 1 commit into from
Jul 17, 2018

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Jul 15, 2018

This PR adds support for HTTP POST and Basic Authentication to psnuffle.

From the does-anyone-even-use-this department.

This code is pretty bad. It's probably not even correct. The psnuffle codebase did not age well, the code comments are a lie, and the documentation does not exist.

Also, I removed sessions.delete(s[:session]). Seems like that was probably important to prevent using tonnes of memory. ¯\_(ツ)_/¯

Test

wget 'https://github.com/LiamRandall/BsidesDC-Training/raw/master/http-auth/http-basic-auth.pcap' -O /tmp/http-basic-auth.pcap

msf5 > use auxiliary/sniffer/psnuffle 
msf5 auxiliary(sniffer/psnuffle) > # use undocumented feature to load pcap file
msf5 auxiliary(sniffer/psnuffle) > set pcapfile /tmp/http-basic-auth.pcap
pcapfile => /tmp/http-basic-auth.pcap

HTTP Basic Authentication

Marvel at this beautiful output.

msf5 auxiliary(sniffer/psnuffle) > rexploit 
[*] Stopping existing job...
[*] Reloading module...
[*] Auxiliary module running as background job 86.

[*] Loaded protocol FTP from /pentest/exploit/metasploit-framework/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /pentest/exploit/metasploit-framework/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /pentest/exploit/metasploit-framework/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol SMB from /pentest/exploit/metasploit-framework/data/exploits/psnuffle/smb.rb...
[*] Loaded protocol URL from /pentest/exploit/metasploit-framework/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[*] HTTP GET: 192.168.0.4:54317-192.254.189.169:80 http://browserspy.dk/password-ok.php
[*] HTTP GET: 192.168.0.4:54318-192.254.189.169:80 http://browserspy.dk/password-ok.php
[*] HTTP GET: 192.168.0.4:54337-192.254.189.169:80 http://browserspy.dk/password-ok.php
[*] HTTP GET: 192.168.0.4:54338-192.254.189.169:80 http://browserspy.dk/password-ok.php
[*] HTTP GET: 192.168.0.4:54338-192.254.189.169:80 http://browserspy.dk/password-ok.php
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54338-192.254.189.169:80 >> test / fail3
[*] HTTP GET: 192.168.0.4:54338-192.254.189.169:80 http://browserspy.dk/theme/reset.css
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54338-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54340-192.254.189.169:80 http://browserspy.dk/theme/default.css
[*] HTTP GET: 192.168.0.4:54341-192.254.189.169:80 http://browserspy.dk/js/jquery.js
[*] HTTP GET: 192.168.0.4:54342-192.254.189.169:80 http://browserspy.dk/pics/logo.png
[*] HTTP GET: 192.168.0.4:54342-192.254.189.169:80 http://browserspy.dk/theme/header.gif
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
msf5 auxiliary(sniffer/psnuffle) > [!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54342-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54341-192.254.189.169:80 http://browserspy.dk/pics/beta.png
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54341-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54340-192.254.189.169:80 http://browserspy.dk/theme/background.gif
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54340-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54338-192.254.189.169:80 http://browserspy.dk/theme/bullet_black.png
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54338-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54343-192.254.189.169:80 http://browserspy.dk/pics/menunew.png
[*] HTTP GET: 192.168.0.4:54342-192.254.189.169:80 http://browserspy.dk/theme/tr_back.jpg
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54342-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54341-192.254.189.169:80 http://browserspy.dk/theme/link_internal.png
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54341-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54340-192.254.189.169:80 http://browserspy.dk/theme/link_external.png
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54340-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54340-192.254.189.169:80 http://browserspy.dk/password.php
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54340-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54340-192.254.189.169:80 http://browserspy.dk/password-ok.php
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54340-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54340-192.254.189.169:80 http://browserspy.dk/password.php
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54340-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54340-192.254.189.169:80 http://browserspy.dk/password-ok.php
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54340-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54340-192.254.189.169:80 http://browserspy.dk/password.php
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54340-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54487-192.254.189.169:80 http://browserspy.dk/password.php
[*] HTTP GET: 192.168.0.4:54505-192.254.189.169:80 http://browserspy.dk/password.php
[*] HTTP GET: 192.168.0.4:54505-192.254.189.169:80 http://browserspy.dk/password-ok.php
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54505-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54506-192.254.189.169:80 http://browserspy.dk/?_=1381844104551
[*] HTTP GET: 192.168.0.4:54580-192.254.189.169:80 http://browserspy.dk/password-ok.php
[*] HTTP GET: 192.168.0.4:54581-192.254.189.169:80 http://browserspy.dk/theme/reset.css
[*] HTTP GET: 192.168.0.4:54582-192.254.189.169:80 http://browserspy.dk/theme/default.css
[*] HTTP GET: 192.168.0.4:54583-192.254.189.169:80 http://browserspy.dk/js/jquery.js
[*] HTTP GET: 192.168.0.4:54584-192.254.189.169:80 http://browserspy.dk/pics/logo.png
[*] HTTP GET: 192.168.0.4:54584-192.254.189.169:80 http://browserspy.dk/password.php
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54584-192.254.189.169:80 >> test / test
[*] HTTP GET: 192.168.0.4:54584-192.254.189.169:80 http://browserspy.dk/password-ok.php
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] HTTP Basic Authentication: 192.168.0.4:54584-192.254.189.169:80 >> test / test
[*] Finished sniffing

HTTP POST

msf5 auxiliary(sniffer/psnuffle) > run
[*] Auxiliary module running as background job 88.

[*] Loaded protocol FTP from /pentest/exploit/metasploit-framework/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /pentest/exploit/metasploit-framework/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /pentest/exploit/metasploit-framework/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol SMB from /pentest/exploit/metasploit-framework/data/exploits/psnuffle/smb.rb...
[*] Loaded protocol URL from /pentest/exploit/metasploit-framework/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[*] HTTP GET: 172.16.191.188:41741-10.1.1.1:80 http://10.1.1.1/
[*] HTTP GET: 172.16.191.188:45321-93.184.216.34:80 http://example.com/
[*] HTTP GET: 172.16.191.188:45321-93.184.216.34:80 http://example.com/favicon.ico
[*] HTTP GET: 172.16.191.188:45321-93.184.216.34:80 http://example.com/favicon.ico
[*] HTTP GET: 172.16.191.188:45321-93.184.216.34:80 http://example.com/favicon.ico
[*] HTTP POST: 172.16.191.188:45321-93.184.216.34:80 http://example.com/form
[*] Finished sniffing

@bcoles bcoles added the module label Jul 15, 2018
wvu
wvu reviewed Jul 17, 2018
View reviewed changes
data/exploits/psnuffle/url.rb
}
end

def parse(pkt)
# We want to return immediantly if we do not have a packet which is handled by us
# We want to return immediatly if we do not have a packet which is handled by us
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Immediately.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only thing I'd change for sure. :-)

wvu
wvu reviewed Jul 17, 2018
View reviewed changes
data/exploits/psnuffle/url.rb
class SnifferURL < BaseProtocolParser
def register_sigs
self.sigs = {
:get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
:webhost => /^HOST\:\s+([^\n\r]+)/i,
:get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer get:, etc.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming you're keeping the style because no one really uses this anymore anyway.

wvu
wvu reviewed Jul 17, 2018
View reviewed changes
data/exploits/psnuffle/url.rb
end
if s[:basic_auth]
s[:user], s[:pass] = Rex::Text.decode_base64(s[:basic_auth]).split(':', 2)
report_auth_info s
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same down here re style. No one really uses this. I'd change it to store_valid_credential, but there are other calls to pSnuffle's report_auth_info.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#10314

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left it the same for consistency. Figured I someone would update all the report_auth_info in one go. I left it out for now to prevent merge conflicts.

wvu
wvu reviewed Jul 17, 2018
View reviewed changes
data/exploits/psnuffle/url.rb
@@ -1,22 +1,24 @@
# Psnuffle password sniffer add-on class for HTTP GET URL's
# Psnuffle password sniffer add-on class for HTTP URLs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file isn't even in the right place. :/

@wvu wvu self-assigned this Jul 17, 2018
wvu added a commit to wvu/metasploit-framework that referenced this pull request Jul 17, 2018
@wvu
Land rapid7#10315, pSnuffle POST and basic auth
d5f10a7
@wvu wvu merged commit 6cd1593 into rapid7:master Jul 17, 2018
@wvu
Copy link
Contributor

wvu commented Jul 17, 2018

f93e4a2

msjenkins-r7 pushed a commit that referenced this pull request Jul 17, 2018
@wvu @msjenkins-r7
Land #10315, pSnuffle POST and basic auth
eb6142c
@wvu
Copy link
Contributor

wvu commented Jul 17, 2018
edited by tdoan-r7
Loading

Release Notes

HTTP POST and basic authentication support has been added to pSnuffle.

@tdoan-r7 tdoan-r7 added the rn-enhancement release notes enhancement label Aug 1, 2018
@adfoster-r7 adfoster-r7 mentioned this pull request Jan 16, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wvu wvu wvu left review comments

Assignees

@wvu wvu

Labels
module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bcoles @wvu @tdoan-r7