Fix LoginServlet to meet API standards and documented functionality #11187
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes the
LoginServlet
, introduced in #10176, to meet API standards and documented functionality.LoginServlet
usesset_json_response(data)
rather thanset_json_data_response(response: data)
like the other servlets and therefore the response lacks thedata
object wrapper in the JSON response.GET response from logins endpoint without records:
GET response from another model endpoint without records:
/api/v1/logins/<ID>
, although documented in the OpenAPI documentation athttps://localhost:8080/api/v1/api-docs
, does not return a valid response:Response:
Ticket: MS-3706
Verification
Note, the verification steps are mostly duplicated from #10176.
Test login modules
The following steps will create and update login records.
msfconsole
creds add user:vagrant password:vagrant
use auxiliary/scanner/ssh/ssh_login
set RHOSTS <IP address of Metasploitable3>
set DB_ALL_CREDS true
to use the credential pairs stored in the database. Ensure valid credentials are displayed when running thecreds
command.run
creds
command.use auxiliary/scanner/ssh/ssh_login
set RHOSTS <IP address of Metasploitable3>
set DB_ALL_CREDS true
to use the credential pairs stored in the database. Ensure invalid credentials are displayed when running thecreds
command.run
creds
command.run
the module again to get a failed attempt.http://localhost:8080/api/v1/api-docs
. The login record should show astatus
ofUnable to connect
Test JTR modules
The following steps will create and update login records.
msfconsole
resource <RC Script Name>.rc
use post/linux/gather/hashdump
set SESSION <root session ID>
run
use auxiliary/analyze/jtr_linux
Pr0t0c07
set CUSTOM_WORDLIST <wordlist file name>
set USE_DEFAULT_WORDLIST false
set USE_ROOT_WORDS false
run
- this should successfully crack thec_three_pio
hashcreds
commanduse auxiliary/scanner/ssh/ssh_login
set RHOSTS <IP address of Metasploitable3>
set DB_ALL_CREDS true
to use the credential pairs stored in the database.run
creds
command.Verify the content in the API docs