Single URI NTLM Info Enum #3047

Merged
merged 1 commit into from Apr 1, 2014

Conversation

Projects
None yet
4 participants
@zeroSteiner
Contributor

zeroSteiner commented Feb 28, 2014

This PR adds support to the existing ntlm_info_enumeration module to allow a single user-specified URI to be tested without needing to edit an external file. The default behavior is to use the file like the original module did.

Easiest way to test this is to target your favorite OWA server and ensure the default settings finds a valid URI to retrieve NTLM information from, then set that URI to the TARGET option and change TARGETTYPE to URI.

@kaospunk

This comment has been minimized.

Show comment Hide comment
@kaospunk

kaospunk Mar 11, 2014

Contributor

Tests OK for me. Does this need anything else at this point?

Mar10 23:00:05|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > show options

Module options (auxiliary/scanner/http/ntlm_info_enumeration):

   Name        Current Setting                                                   Required  Description
   ----        ---------------                                                   --------  -----------
   Proxies                                                                       no        Use a proxy chain
   RHOSTS      192.168.1.13                                                      yes       The target address range or CIDR identifier
   RPORT       80                                                                yes       The target port
   TARGET      /opt/metasploit/apps/pro/msf3/data/wordlists/http_owa_common.txt  yes       Target URI information
   TARGETTYPE  FILE                                                              yes       Whether TARGET is a file of URIs or a single URI (accepted: FILE, URI)
   THREADS     100                                                               yes       The number of concurrent threads
   VHOST                                                                         no        HTTP server virtual host

Mar10 23:00:08|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > run

[+] [2014.03.10-23:00:12] Enumerated info on 192.168.1.13:80/exchange/ - (name:VULNHOST) (domain:VULNHOST) (domain_fqdn:vulnhost) (server_fqdn:vulnhost)
[*] [2014.03.10-23:00:13] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Mar10 23:00:13|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > set TARGETTYPE URI
TARGETTYPE => URI
Mar10 23:00:29|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > set TARGET /testdir/
TARGET => /testdir/
Mar10 23:00:40|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > run

[+] [2014.03.10-23:00:43] Enumerated info on 192.168.1.13:80/testdir/ - (name:VULNHOST) (domain:VULNHOST) (domain_fqdn:vulnhost) (server_fqdn:vulnhost)
[*] [2014.03.10-23:00:43] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Mar10 23:00:43|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > set TARGET /nothere/
TARGET => /nothere/
Mar10 23:00:50|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > run

[*] [2014.03.10-23:00:51] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Contributor

kaospunk commented Mar 11, 2014

Tests OK for me. Does this need anything else at this point?

Mar10 23:00:05|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > show options

Module options (auxiliary/scanner/http/ntlm_info_enumeration):

   Name        Current Setting                                                   Required  Description
   ----        ---------------                                                   --------  -----------
   Proxies                                                                       no        Use a proxy chain
   RHOSTS      192.168.1.13                                                      yes       The target address range or CIDR identifier
   RPORT       80                                                                yes       The target port
   TARGET      /opt/metasploit/apps/pro/msf3/data/wordlists/http_owa_common.txt  yes       Target URI information
   TARGETTYPE  FILE                                                              yes       Whether TARGET is a file of URIs or a single URI (accepted: FILE, URI)
   THREADS     100                                                               yes       The number of concurrent threads
   VHOST                                                                         no        HTTP server virtual host

Mar10 23:00:08|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > run

[+] [2014.03.10-23:00:12] Enumerated info on 192.168.1.13:80/exchange/ - (name:VULNHOST) (domain:VULNHOST) (domain_fqdn:vulnhost) (server_fqdn:vulnhost)
[*] [2014.03.10-23:00:13] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Mar10 23:00:13|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > set TARGETTYPE URI
TARGETTYPE => URI
Mar10 23:00:29|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > set TARGET /testdir/
TARGET => /testdir/
Mar10 23:00:40|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > run

[+] [2014.03.10-23:00:43] Enumerated info on 192.168.1.13:80/testdir/ - (name:VULNHOST) (domain:VULNHOST) (domain_fqdn:vulnhost) (server_fqdn:vulnhost)
[*] [2014.03.10-23:00:43] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Mar10 23:00:43|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > set TARGET /nothere/
TARGET => /nothere/
Mar10 23:00:50|192.168.1.30|S:0 J:0 auxiliary(ntlm_info_enumeration) > run

[*] [2014.03.10-23:00:51] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@kernelsmith

This comment has been minimized.

Show comment Hide comment
@kernelsmith

kernelsmith Mar 19, 2014

Contributor

I've got this. I'll be testing it later today

Contributor

kernelsmith commented Mar 19, 2014

I've got this. I'll be testing it later today

@kernelsmith

This comment has been minimized.

Show comment Hide comment
@kernelsmith

kernelsmith Mar 20, 2014

Contributor

@zeroSteiner I just sent you a PR to your PR at zeroSteiner#5. The description explains it pretty well I think. Let me know what you think. It allows a single URI to be specified, but does so in a slightly different way which I think is more in line w/default behavior elsewhere in the framework (not that there's a ton of consistency in this regard).

Contributor

kernelsmith commented Mar 20, 2014

@zeroSteiner I just sent you a PR to your PR at zeroSteiner#5. The description explains it pretty well I think. Let me know what you think. It allows a single URI to be specified, but does so in a slightly different way which I think is more in line w/default behavior elsewhere in the framework (not that there's a ton of consistency in this regard).

@zeroSteiner

This comment has been minimized.

Show comment Hide comment
@zeroSteiner

zeroSteiner Mar 20, 2014

Contributor

I merged in changes by @kernelsmith and made a minor modification to use both TARGET_URI options if they're both set. I think it might be confusing if the TARGET_URIS_FILE is set but ignored when a TARGET_URI is also set.

Contributor

zeroSteiner commented Mar 20, 2014

I merged in changes by @kernelsmith and made a minor modification to use both TARGET_URI options if they're both set. I think it might be confusing if the TARGET_URIS_FILE is set but ignored when a TARGET_URI is also set.

@zeroSteiner

This comment has been minimized.

Show comment Hide comment
@zeroSteiner

zeroSteiner Mar 20, 2014

Contributor

Those changes have been implemented. I agree, the fail_with might be a bit of over-kill in this situation.

Contributor

zeroSteiner commented Mar 20, 2014

Those changes have been implemented. I agree, the fail_with might be a bit of over-kill in this situation.

@kernelsmith

This comment has been minimized.

Show comment Hide comment
@kernelsmith

kernelsmith Mar 20, 2014

Contributor

sweet. Have you been able to test? I only have one owa site I feel comfortable testing it on, and I'm unlikely to set up my own at the moment

Contributor

kernelsmith commented Mar 20, 2014

sweet. Have you been able to test? I only have one owa site I feel comfortable testing it on, and I'm unlikely to set up my own at the moment

@zeroSteiner

This comment has been minimized.

Show comment Hide comment
@zeroSteiner

zeroSteiner Mar 20, 2014

Contributor

Yes sir, I tested the latest commit with the changes you suggested against an OWA 2007 server with different TARGET_URI(S_FILE) combinations.

I wouldn't mind testing against something non-OWA but don't have anything at my disposal at the moment.

Contributor

zeroSteiner commented Mar 20, 2014

Yes sir, I tested the latest commit with the changes you suggested against an OWA 2007 server with different TARGET_URI(S_FILE) combinations.

I wouldn't mind testing against something non-OWA but don't have anything at my disposal at the moment.

@kernelsmith

This comment has been minimized.

Show comment Hide comment
@kernelsmith

kernelsmith Mar 21, 2014

Contributor

I'll merge as soon as I figure out a networking issue which is really p'ssing me off atm

Contributor

kernelsmith commented Mar 21, 2014

I'll merge as soon as I figure out a networking issue which is really p'ssing me off atm

@kernelsmith

This comment has been minimized.

Show comment Hide comment
@kernelsmith

kernelsmith Mar 26, 2014

Contributor

Sorry @zeroSteiner, I didn't forget, but couldn't get to it. On it now, will unscrew it up

Contributor

kernelsmith commented Mar 26, 2014

Sorry @zeroSteiner, I didn't forget, but couldn't get to it. On it now, will unscrew it up

kernelsmith added a commit that referenced this pull request Mar 31, 2014

Land #3047, adds single URI to NTLM Info Enum
NOTE: changes datastore option TARGETURIS to TARGET_URIS_FILE
also adds new TARGET_URI datastore option
@kernelsmith

This comment has been minimized.

Show comment Hide comment
@kernelsmith

kernelsmith Mar 31, 2014

Contributor

merged, PR should close any minute now

Contributor

kernelsmith commented Mar 31, 2014

merged, PR should close any minute now

@zeroSteiner

This comment has been minimized.

Show comment Hide comment
@zeroSteiner

zeroSteiner Apr 1, 2014

Contributor

@kernelsmith It looks like the merge commit is missing your changes that I merged in from zeroSteiner#6. I think that's why the PR hasn't been marked as merged yet.

Contributor

zeroSteiner commented Apr 1, 2014

@kernelsmith It looks like the merge commit is missing your changes that I merged in from zeroSteiner#6. I think that's why the PR hasn't been marked as merged yet.

@kernelsmith

This comment has been minimized.

Show comment Hide comment
@kernelsmith

kernelsmith Apr 1, 2014

Contributor

Great. Thanks for noticing. I'll work on it. I did a fetch and merge so I thought it would have been good.

-Josh

On Mar 31, 2014, at 19:34, Spencer McIntyre notifications@github.com wrote:

@kernelsmith It looks like the merge commit is missing your changes that I merged in from zeroSteiner#6. I think that's why the PR hasn't been marked as merged yet.


Reply to this email directly or view it on GitHub.

Contributor

kernelsmith commented Apr 1, 2014

Great. Thanks for noticing. I'll work on it. I did a fetch and merge so I thought it would have been good.

-Josh

On Mar 31, 2014, at 19:34, Spencer McIntyre notifications@github.com wrote:

@kernelsmith It looks like the merge commit is missing your changes that I merged in from zeroSteiner#6. I think that's why the PR hasn't been marked as merged yet.


Reply to this email directly or view it on GitHub.

@todb-r7

This comment has been minimized.

Show comment Hide comment
@todb-r7

todb-r7 Apr 1, 2014

Contributor

@kernelsmith if you fetch upstream, checkout the PR, then land it again, it'll work out. Doing that now on your behalf. Here's the screens (note that I make heavy use of git aliases for signing and stuff in https://github.com/todb-r7/junkdrawer/blob/master/dotfiles/git-repos/gitconfig )

$ git cum
Switched to branch 'upstream-master'
Already up-to-date.
[ruby-1.9.3-p484@metasploit-framework] (upstream-master) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git checkout upstream/pr/3047
Note: checking out 'upstream/pr/3047'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at 7c8f79d... Merge logic cleanups from kernelsmith
[ruby-1.9.3-p484@metasploit-framework] ((no branch)) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git checkout -b land-3047-really
Switched to a new branch 'land-3047-really'
[ruby-1.9.3-p484@metasploit-framework] (land-3047-really) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git checkout upstream-master
Switched to branch 'upstream-master'
[ruby-1.9.3-p484@metasploit-framework] (upstream-master) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git m land-3047-really

You need a passphrase to unlock the secret key for
user: "Tod Beardsley <todb@metasploit.com>"
2048-bit RSA key, ID ADB9F193, created 2012-11-27

Merge made by the 'recursive' strategy.
 modules/auxiliary/scanner/http/ntlm_info_enumeration.rb |   41 +++++++++++++++++++++--------------------
 1 file changed, 21 insertions(+), 20 deletions(-)
[ruby-1.9.3-p484@metasploit-framework] (upstream-master) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git publish
Counting objects: 60, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (49/49), done.
Writing objects: 100% (49/49), 5.00 KiB, done.
Total 49 (delta 41), reused 0 (delta 0)
To github-r7:rapid7/metasploit-framework
   ec7bb6d..2972220  upstream-master -> master
[ruby-1.9.3-p484@metasploit-framework] (upstream-master) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ 
Contributor

todb-r7 commented Apr 1, 2014

@kernelsmith if you fetch upstream, checkout the PR, then land it again, it'll work out. Doing that now on your behalf. Here's the screens (note that I make heavy use of git aliases for signing and stuff in https://github.com/todb-r7/junkdrawer/blob/master/dotfiles/git-repos/gitconfig )

$ git cum
Switched to branch 'upstream-master'
Already up-to-date.
[ruby-1.9.3-p484@metasploit-framework] (upstream-master) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git checkout upstream/pr/3047
Note: checking out 'upstream/pr/3047'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at 7c8f79d... Merge logic cleanups from kernelsmith
[ruby-1.9.3-p484@metasploit-framework] ((no branch)) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git checkout -b land-3047-really
Switched to a new branch 'land-3047-really'
[ruby-1.9.3-p484@metasploit-framework] (land-3047-really) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git checkout upstream-master
Switched to branch 'upstream-master'
[ruby-1.9.3-p484@metasploit-framework] (upstream-master) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git m land-3047-really

You need a passphrase to unlock the secret key for
user: "Tod Beardsley <todb@metasploit.com>"
2048-bit RSA key, ID ADB9F193, created 2012-11-27

Merge made by the 'recursive' strategy.
 modules/auxiliary/scanner/http/ntlm_info_enumeration.rb |   41 +++++++++++++++++++++--------------------
 1 file changed, 21 insertions(+), 20 deletions(-)
[ruby-1.9.3-p484@metasploit-framework] (upstream-master) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git publish
Counting objects: 60, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (49/49), done.
Writing objects: 100% (49/49), 5.00 KiB, done.
Total 49 (delta 41), reused 0 (delta 0)
To github-r7:rapid7/metasploit-framework
   ec7bb6d..2972220  upstream-master -> master
[ruby-1.9.3-p484@metasploit-framework] (upstream-master) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ 

todb-r7 added a commit that referenced this pull request Apr 1, 2014

Land #3047 for real.
Merge branch 'land-3047-really' into upstream-master

@todb-r7 todb-r7 merged commit 7c8f79d into rapid7:master Apr 1, 2014

1 check passed

default The Travis CI build passed
Details
@todb-r7

This comment has been minimized.

Show comment Hide comment
@todb-r7

todb-r7 Apr 1, 2014

Contributor

updated above with the git publish step.

Contributor

todb-r7 commented Apr 1, 2014

updated above with the git publish step.

@kernelsmith

This comment has been minimized.

Show comment Hide comment
@kernelsmith

kernelsmith Apr 1, 2014

Contributor

Yeah, I follow your landing guide pretty religiously and have all your aliases. I don't make use of every alias, but many. I apparently still manage to suck. Found out just now that blood work is kinda fucked up which can contribute to some mental slowness. Which I clearly can't afford ;)

-Josh

On Apr 1, 2014, at 13:18, Tod Beardsley notifications@github.com wrote:

@kernelsmith if you fetch upstream, checkout the PR, then land it again, it'll work out. Doing that now on your behalf. Here's the screens (note that I make heavy use of git aliases for signing and stuff in https://github.com/todb-r7/junkdrawer/blob/master/dotfiles/git-repos/gitconfig

$ git cum
Switched to branch 'upstream-master'
git checkout upstremAlready up-to-date.
ruby-1.9.3-p484@metasploit-framework
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git checkout upstream/pr/3047
Note: checking out 'upstream/pr/3047'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

git checkout -b new_branch_name

HEAD is now at 7c8f79d... Merge logic cleanups from kernelsmith
[ruby-1.9.3-p484@metasploit-framework](%28no branch%29)
todb@mazikeen:/git/rapid7/metasploit-framework
$ git checkout -b land-3047-really
Switched to a new branch 'land-3047-really'
ruby-1.9.3-p484@metasploit-framework
todb@mazikeen:
/git/rapid7/metasploit-framework
$ git checkout upstream-master
Switched to branch 'upstream-master'
ruby-1.9.3-p484@metasploit-framework
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git m land-3047-really

You need a passphrase to unlock the secret key for
user: "Tod Beardsley todb@metasploit.com"
2048-bit RSA key, ID ADB9F193, created 2012-11-27

Merge made by the 'recursive' strategy.
modules/auxiliary/scanner/http/ntlm_info_enumeration.rb | 41 +++++++++++++++++++++--------------------
1 file changed, 21 insertions(+), 20 deletions(-)
ruby-1.9.3-p484@metasploit-framework
todb@mazikeen:~/git/rapid7/metasploit-framework
$

Reply to this email directly or view it on GitHub.

Contributor

kernelsmith commented Apr 1, 2014

Yeah, I follow your landing guide pretty religiously and have all your aliases. I don't make use of every alias, but many. I apparently still manage to suck. Found out just now that blood work is kinda fucked up which can contribute to some mental slowness. Which I clearly can't afford ;)

-Josh

On Apr 1, 2014, at 13:18, Tod Beardsley notifications@github.com wrote:

@kernelsmith if you fetch upstream, checkout the PR, then land it again, it'll work out. Doing that now on your behalf. Here's the screens (note that I make heavy use of git aliases for signing and stuff in https://github.com/todb-r7/junkdrawer/blob/master/dotfiles/git-repos/gitconfig

$ git cum
Switched to branch 'upstream-master'
git checkout upstremAlready up-to-date.
ruby-1.9.3-p484@metasploit-framework
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git checkout upstream/pr/3047
Note: checking out 'upstream/pr/3047'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

git checkout -b new_branch_name

HEAD is now at 7c8f79d... Merge logic cleanups from kernelsmith
[ruby-1.9.3-p484@metasploit-framework](%28no branch%29)
todb@mazikeen:/git/rapid7/metasploit-framework
$ git checkout -b land-3047-really
Switched to a new branch 'land-3047-really'
ruby-1.9.3-p484@metasploit-framework
todb@mazikeen:
/git/rapid7/metasploit-framework
$ git checkout upstream-master
Switched to branch 'upstream-master'
ruby-1.9.3-p484@metasploit-framework
todb@mazikeen:~/git/rapid7/metasploit-framework
$ git m land-3047-really

You need a passphrase to unlock the secret key for
user: "Tod Beardsley todb@metasploit.com"
2048-bit RSA key, ID ADB9F193, created 2012-11-27

Merge made by the 'recursive' strategy.
modules/auxiliary/scanner/http/ntlm_info_enumeration.rb | 41 +++++++++++++++++++++--------------------
1 file changed, 21 insertions(+), 20 deletions(-)
ruby-1.9.3-p484@metasploit-framework
todb@mazikeen:~/git/rapid7/metasploit-framework
$

Reply to this email directly or view it on GitHub.

@zeroSteiner zeroSteiner deleted the zeroSteiner:ntlm-enum-single branch May 9, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment