New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent storing empty config files as loot #11076

Merged
merged 1 commit into from Dec 7, 2018

Conversation

Projects
None yet
3 participants
@bcoles
Contributor

bcoles commented Dec 6, 2018

This PR prevents the linux/gather/enum_configs module from storing empty config files as loot.

Before this PR, this module would store every config file, regardless of whether it existed, and regardless of whether it was empty (ie, permission denied). This was mitigated in part by a regex for /No such file or directory/, which was largely useless, but I've left it in. This regex didn't always match, is locale-dependent, and ignores /Permission denied/.

In some instances, it may be useful to know that a config file existed, but was empty. However, this is rare, and the existing implementation also failed in this regard, due to the aforementioned shortcomings in the regex. For this reason, I argue that this PR is an improvement.

Worse, the loot is stored with the generic name linux.enum.conf which gives no indication of which file you're looking at, unless you still have the console open, or spooled console output to a log file for review, so you can play a dumb game of match-the-loot-filename-to-config-filename. This PR does not resolve this issue, as it still uses the linux.enum.conf naming convention, but mitigates it in part by not clogging up the loot directory with empty files.

This PR also includes some minor style changes.

Before

msf5 post(linux/gather/enum_configs) > run

[!] SESSION may not be compatible with this module.
[*] Running module against subgraph
[*] Info:
[*] 	Subgraph OS 1.0  
[*] 	Linux subgraph 4.9.33-subgraph #1 SMP Mon Jun 19 20:32:42 UTC 2017 x86_64 GNU/Linux
[*] Finding configuration files...
[+] apache2.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_441886.txt
[+] ports.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_423480.txt
[+] nginx.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_070280.txt
[+] snort.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_768418.txt
[+] my.cnf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_888947.txt
[+] ufw.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_857432.txt
[+] sysctl.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_719241.txt
[+] security.access.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_143477.txt
[+] shells stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_293610.txt
[+] sepermit.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_877445.txt
[+] ca-certificates.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_031230.txt
[+] access.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_800338.txt
[+] gated.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_914133.txt
[+] rpc stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_165241.txt
[+] psad.conf stored in /root/.msf4/loot/20181206073758_default_172.16.191.142_linux.enum.conf_363847.txt
[+] debian.cnf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_268450.txt
[+] chkrootkit.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_721853.txt
[+] logrotate.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_983003.txt
[+] rkhunter.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_619298.txt
[+] smb.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_468565.txt
[+] ldap.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_715081.txt
[+] openldap.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_583731.txt
[+] cups.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_746181.txt
[+] httpd.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_024369.txt
[+] sysctl.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_030931.txt
[+] proxychains.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_537195.txt
[+] snmp.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_039472.txt
[+] sendmail.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_195537.txt
[+] snmp.conf stored in /root/.msf4/loot/20181206073759_default_172.16.191.142_linux.enum.conf_151352.txt
[*] Post module execution completed

After

msf5 post(linux/gather/enum_configs) > rexploit 
[*] Reloading module...

[!] SESSION may not be compatible with this module.
[*] Running module against 172.16.191.142 [subgraph]
[*] Info:
[*] 	Subgraph OS 1.0  
[*] 	Linux subgraph 4.9.33-subgraph #1 SMP Mon Jun 19 20:32:42 UTC 2017 x86_64 GNU/Linux
[*] Finding configuration files...
[+] shells stored in /root/.msf4/loot/20181206075253_default_172.16.191.142_linux.enum.conf_590038.txt
[+] sepermit.conf stored in /root/.msf4/loot/20181206075253_default_172.16.191.142_linux.enum.conf_609883.txt
[+] ca-certificates.conf stored in /root/.msf4/loot/20181206075253_default_172.16.191.142_linux.enum.conf_686067.txt
[+] access.conf stored in /root/.msf4/loot/20181206075253_default_172.16.191.142_linux.enum.conf_846060.txt
[+] rpc stored in /root/.msf4/loot/20181206075253_default_172.16.191.142_linux.enum.conf_449602.txt
[+] logrotate.conf stored in /root/.msf4/loot/20181206075254_default_172.16.191.142_linux.enum.conf_925699.txt
[+] ldap.conf stored in /root/.msf4/loot/20181206075254_default_172.16.191.142_linux.enum.conf_258899.txt
[+] sysctl.conf stored in /root/.msf4/loot/20181206075254_default_172.16.191.142_linux.enum.conf_684448.txt
[*] Post module execution completed
@h00die

This comment has been minimized.

Contributor

h00die commented Dec 6, 2018

my ugly gosh. Why not fix the loot file names now, or are you planning on a 2nd pr to do that?

@bcoles

This comment has been minimized.

Contributor

bcoles commented Dec 6, 2018

my ugly gosh. Why not fix the loot file names now, or are you planning on a 2nd pr to do that?

I didn't bother to test with a database. It turns out the config file names are also stored if a database is connected:

msf5 post(linux/gather/enum_configs) > loot

Loot
====

host            service  type             name                  content     info  path
----            -------  ----             ----                  -------     ----  ----
172.16.191.142           linux.enum.conf  shells                text/plain        /root/.msf4/loot/20181206090557_default_172.16.191.142_linux.enum.conf_023329.txt
172.16.191.142           linux.enum.conf  sepermit.conf         text/plain        /root/.msf4/loot/20181206090557_default_172.16.191.142_linux.enum.conf_789601.txt
172.16.191.142           linux.enum.conf  ca-certificates.conf  text/plain        /root/.msf4/loot/20181206090557_default_172.16.191.142_linux.enum.conf_698753.txt
172.16.191.142           linux.enum.conf  access.conf           text/plain        /root/.msf4/loot/20181206090557_default_172.16.191.142_linux.enum.conf_709704.txt
172.16.191.142           linux.enum.conf  rpc                   text/plain        /root/.msf4/loot/20181206090557_default_172.16.191.142_linux.enum.conf_753136.txt
172.16.191.142           linux.enum.conf  logrotate.conf        text/plain        /root/.msf4/loot/20181206090557_default_172.16.191.142_linux.enum.conf_025977.txt
172.16.191.142           linux.enum.conf  ldap.conf             text/plain        /root/.msf4/loot/20181206090558_default_172.16.191.142_linux.enum.conf_303397.txt
172.16.191.142           linux.enum.conf  sysctl.conf           text/plain        /root/.msf4/loot/20181206090558_default_172.16.191.142_linux.enum.conf_499323.txt

Fixing the filenames would make a bit of a mess of this output:

msf5 post(linux/gather/enum_configs) > loot

Loot
====

host            service  type                  name                  content     info  path
----            -------  ----                  ----                  -------     ----  ----
172.16.191.142           shells                shells                text/plain        /root/.msf4/loot/20181206090936_default_172.16.191.142_shells_557946.txt
172.16.191.142           sepermit.conf         sepermit.conf         text/plain        /root/.msf4/loot/20181206090936_default_172.16.191.142_sepermit.conf_212697.txt
172.16.191.142           ca-certificates.conf  ca-certificates.conf  text/plain        /root/.msf4/loot/20181206090936_default_172.16.191.142_cacertificates._784126.txt
172.16.191.142           access.conf           access.conf           text/plain        /root/.msf4/loot/20181206090936_default_172.16.191.142_access.conf_915323.txt
172.16.191.142           rpc                   rpc                   text/plain        /root/.msf4/loot/20181206090936_default_172.16.191.142_rpc_692717.txt
172.16.191.142           logrotate.conf        logrotate.conf        text/plain        /root/.msf4/loot/20181206090937_default_172.16.191.142_logrotate.conf_290220.txt
172.16.191.142           ldap.conf             ldap.conf             text/plain        /root/.msf4/loot/20181206090937_default_172.16.191.142_ldap.conf_599883.txt
172.16.191.142           sysctl.conf           sysctl.conf           text/plain        /root/.msf4/loot/20181206090937_default_172.16.191.142_sysctl.conf_423948.txt

I'm not sure how important the loot type column is?

@bcoles

This comment has been minimized.

Contributor

bcoles commented Dec 6, 2018

Perhaps it would make more sense to modify the store_loot library method to make use of ::File.basename(filename) (if a value is provided for the optional filename parameter in the call to store_loot), rather than the loot type, when constructing the filename for storing the loot on the local filesystem. In which case it's outside the scope of this PR.

@h00die

This comment has been minimized.

Contributor

h00die commented Dec 6, 2018

BTW I meant storing empty files was ugly, not your changes, just to make sure that was taken correctly

@busterb

This comment has been minimized.

Contributor

busterb commented Dec 7, 2018

Some similar get_host smells to consider deleting later as well:

modules/post/linux/gather/enum_network.rb: def get_host
modules/post/linux/gather/tor_hiddenservices.rb: def get_host

@busterb busterb self-assigned this Dec 7, 2018

@busterb busterb merged commit eecc5d6 into rapid7:master Dec 7, 2018

2 of 3 checks passed

Metasploit Automation - Sanity Test Execution Failed to pass tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Dec 7, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Dec 7, 2018

Release Notes

This updates the post/linux/gather/enum_configs module to not store empty files in the loot database.

msjenkins-r7 added a commit that referenced this pull request Dec 7, 2018

@bcoles bcoles deleted the bcoles:enum_configs branch Dec 7, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment