-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add. new gather module cloud_lookup #12234
Conversation
@msjenkins-r7 test this please. |
It looks like Travis is failing due to some EOL spaces. You can run
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor spelling comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey thanks for this contribution! I went through and reviewed it just now and left quite a bit of feedback. Many of the suggestions I left use some Ruby features to condense redundant logic (and by extension reduce the lines of code) down.
A couple of reoccurring themes:
- The grammar around reporting IP addresses should use "IP address(es) found" never "IP address found(s)".
- You should prefer the
==
and!=
operators instead. You don't really need to use the.eql?
method unless you're calling it on a hash. Additionally, simplyif some_value
is preferred from a syntax perspective vsunless some_value == false
orif some_value != true
and other variations. There was quite a few of these that should really be updated.
Lastly, if you could, would you please run rubocop
on your module. It'll help you out by fixing alot of smaller syntax issues for you automatically. Just make sure to use our latest rubocop configuration .rubocop.yml
(specify it with the -c
argument).
Thank you again for your submission and let me know if you have any questions!
It looks like you just about addressed all of the comments, thank you! Were you still planning on moving the DNS enumeration functions into a mixin? It looks like there's quite a bit of overlap with the |
@smcintyre-r7 thanks for your remarks. About moving the dns function in a mixin, if you want to move the DNS functions to avoid overlapping with I observed the |
To move the functions to a mixin, you need to:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't send any messages to my email
REDACTED
Thanks
@Hi111111 You need to unsubscribe from this Issue thread and potentially unwatch the repository to avoid receiving unwanted messages in your email. We don't control who is notified (that's handled through GitHub and your configuration), but the notifications are essential for the collaboration with the involved parties. |
hello @smcintyre-r7 all is done. It is now enough to move the other functions from Do you think it would be interesting to do the same with the |
You're almost there, the 5 methods you moved into the mixin just need to be removed from the original After that I think this'll be ready for some testing and I can get it processed assuming nothing else comes up. Thanks! |
5864a7e
to
506bc42
Compare
506bc42
to
157ff68
Compare
Quick update, I made some changes to this code that you can see reflected in this branch. Some notable things I did included:
Do you have a true positive test case I can use with this? The results are censored in your documentation and previous PRs but I'd like to test this more thoroughly. If you'd like you can send the |
157ff68
to
e243d3e
Compare
Alright I was able to find a true positive test case. Following your lead I won't post the information here though. I've tested this PR successfully on a true positive and multiple true negatives. I've also tested with CENSYS API information as well as the old DNS enumeration module. At this point everything looks good to me, I'm just going to wait for the unit tests to pass and I'll get this merged in. Thank you for all of your work on this! 👍 |
Nice :) and sorry for your last request (about test cases) but I was full on a new job. |
Release NotesThis adds an auxiliary module that attempts multiple techniques to fingerprint IP addresses that can be used for directly connecting to web servers that are supposed to be protected by cloud based solutions. This helps to identify a common class of misconfiguration vulnerabilities in these scenarios. |
This module replace the previously pulls:
This module can be useful if you need to test the security of your server and your
website behind a solution Cloud based. By discovering the origin IP address of the
targeted host.
More precisely, I use multiple data sources (in order ViewDNS.info, DNS enumeration and Censys)
to collect assigned (or have been assigned) IP addresses from the targeted site or domain
that uses the following:
Amazon Cloudflare, Amazon CloudFront, ArvanCloud, Envoy Proxy, Fastly, Stackpath Fireblade,
Stackpath MaxCDN, Imperva Incapsula, InGen Security (BinarySec EasyWAF), KeyCDN, Netlify
and Sucuri.
Verification Steps
use auxiliary/gather/cloud_lookup
set hostname www.zataz.com
run
Options
CENSYS_SECRET
Your Censys API SECRET.
CENSYS_UID
Your Censys API UID.
COMPSTR
You can use a custom string to perform the comparison.
HOSTNAME
This is the hostname [fqdn] on which the website responds. But this can also be a domain.
Proxies
A proxy chain of format type:host:port[,type:host:port][...]. It's optional.
RPORT
The target TCP port on which the protected website responds. Default: 443
SSL
Negotiate SSL/TLS for outgoing connections. Default: true
THREADS
Number of concurent threads needed for DNS enumeration. Default: 8
URIPATH
The URI path on which to perform the page comparison. Default: '/'
WORDLIST
Name list required for DNS enumeration. Default: ~/metasploit-framework/data/wordlists/namelist.txt
Advanced options
DNSENUM
Set DNS enumeration as optional. Default: true
NS
Specify the nameserver to use for queries. Default: is system DNS
REPORT_LEAKS
Set to write leaked ip addresses in notes. Default: false
USERAGENT
Specify a personalized User-Agent header in HTTP requests. Default: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
TAG
Specify the HTML tag in which you want to find the fingerprint. Default: title
Useful when combined with the CMPSTR option.
TIMEOUT
HTTP(s) request timeout. Default: 5
VERBOSE
You can also enable the verbose mode to have more information displayed in the console.
Scenarios
For auditing purpose
If successful, you must be able to obtain the IP(s) address of the website as follows:
In this case 'A direct-connect IP address was found' is reported.
However, some disreputable administrators used a simple redircetion (301 and 302)
to force the passage through the WAF. This makes the IP address leak in the 'location'
parameter of the HTTP header.
For exemple:
--or--
In this case 'A leaked IP address was found' is displayed but the bypass is NOT effective.
You can also use the 'REPORT_LEAKS' option for write that in the notes.
For some reason you may need to change the URI path to interoperate with other than the index page.
To do this specific thing.
For example:
--or--
References