Fix to add LoginServlet authentication #11183
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
LoginServlet
currently does not require authentication. This fix adds authentication to theLoginServlet
endpoints introduced in #10176.Get hosts or other models without authentication and note the error message:
Get logins without authentication and a response is returned rather than an authentication error:
Note, the response is empty because there are no logins in the database.
Ticket: MS-3699
Verification
Note, the verification steps are mostly duplicated from #10176.
Test login modules
The following steps will create and update login records.
msfconsole
creds add user:vagrant password:vagrant
use auxiliary/scanner/ssh/ssh_login
set RHOSTS <IP address of Metasploitable3>
set DB_ALL_CREDS true
to use the credential pairs stored in the database. Ensure valid credentials are displayed when running thecreds
command.run
creds
command.use auxiliary/scanner/ssh/ssh_login
set RHOSTS <IP address of Metasploitable3>
set DB_ALL_CREDS true
to use the credential pairs stored in the database. Ensure invalid credentials are displayed when running thecreds
command.run
creds
command.run
the module again to get a failed attempt.http://localhost:8080/api/v1/api-docs
. The login record should show astatus
ofUnable to connect
Test JTR modules
The following steps will create and update login records.
msfconsole
resource <RC Script Name>.rc
use post/linux/gather/hashdump
set SESSION <root session ID>
run
use auxiliary/analyze/jtr_linux
Pr0t0c07
set CUSTOM_WORDLIST <wordlist file name>
set USE_DEFAULT_WORDLIST false
set USE_ROOT_WORDS false
run
- this should successfully crack thec_three_pio
hashcreds
commanduse auxiliary/scanner/ssh/ssh_login
set RHOSTS <IP address of Metasploitable3>
set DB_ALL_CREDS true
to use the credential pairs stored in the database.run
creds
command.Verify the content in the API docs