Added tomcat_gather modules to Metasploit. #8010
Conversation
|
I have tomcat installed following this guide: https://www.digitalocean.com/community/tutorials/how-to-install-apache-tomcat-8-on-ubuntu-16-04 I attained a session via python meterpreter The module does not find the tomcat-users.xml: |
|
I have windows and linux boxes with tomcat 6,7,8 all installed on them that i used for writing a bunch of the tomcat docs. I'll give it a run in the next day or two and report back |
|
no go for me as well, however I got a different error. I tried using user and root permissions. |
|
so the interesting thing is it says |
|
i'll retry this on a meterpreter (maybe even mettle) on my linux box in the next few days |
| end | ||
| end | ||
|
|
||
| port_path = cmd_exec('locate server.xml').split("\n") |
There was a problem hiding this comment.
split assumes cmd_exec got an answer back.
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell /linux SSH tomcat:tomcat (192.168.2.118:22) 192.168.2.117:46871 -> 192.168.2.118:22 (192.168.2.118)
2 meterpreter x86/linux uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ tomcat 192.168.2.117:4433 -> 192.168.2.118:59204 (192.168.2.118)
msf auxiliary(ssh_login) >
msf auxiliary(ssh_login) >
msf auxiliary(ssh_login) > use post/multi/gather/tomcat_gather
msf post(tomcat_gather) > set session 2
session => 2
msf post(tomcat_gather) > run
[*] Unix OS detected
[-] Failed to open file: /etc/tomcat8/server.xml: core_channel_open: Operation failed: 13
[-] Post failed: NoMethodError undefined method `split' for nil:NilClass
[-] Call stack:
[-] /metasploit-framework/modules/post/multi/gather/tomcat_gather.rb:131:in `block in gathernix'
[-] /metasploit-framework/modules/post/multi/gather/tomcat_gather.rb:129:in `each'
[-] /metasploit-framework/modules/post/multi/gather/tomcat_gather.rb:129:in `gathernix'
[-] /metasploit-framework/modules/post/multi/gather/tomcat_gather.rb:150:in `run'
[*] Post module execution completed
| port_path = cmd_exec('locate server.xml').split("\n") | ||
| port_path.each do |path| | ||
| if exist?(path) | ||
| xml = read_file(path).split("\n") |
There was a problem hiding this comment.
This may be the other source of the issue. What does read_file return if permission denied? In my case, the user didn't have access to open the file, got permission denied, was that tested for?
| end | ||
|
|
||
| def run() | ||
| if sysinfo['OS'].include? "Windows" |
There was a problem hiding this comment.
still need a default case here, just in case. maybe try both win and nix? or error out and demand mettle/meterpreter assuming its a standard shell
|
My winXP box has 5.5, 6, 7, 8 all installed on it. While the module worked, it can get a little confusing which file is being accessed. Id recommend printing the full path instead of just the file name. |
|
@Opperkip just wanted to check in on how updates were coming along for this module |
|
@h00die I've been implementing fixes for the Windows bit but I haven't gotten around to improving the linux part yet. |
|
Lemme know when its all done and i'll run it through my 2 VMs again |
|
@h00die You can try running them again |
|
|
||
| if exist?(conf_path) | ||
| print_status("tomcat-users.xml found") | ||
| print_status(conf_path + "found!") |
There was a problem hiding this comment.
I would change this to print_status("#{conf_path} found!") that way you use templating and adds a space between the file and the word found.
| @@ -85,61 +93,84 @@ def gatherwin() | |||
| end | |||
| end | |||
|
|
|||
| port_path = tomcat_home.split('"')[1] + "\\conf\\server.xml" | |||
| port_path = tomcat_home + "\\conf\\server.xml" | |||
There was a problem hiding this comment.
port_path = "#{tomcat_home}\\conf\\server.xml"
| elsif line.include? ("<!--") | ||
| comment_block = true | ||
| elsif line.include? ("-->") and comment_block | ||
| comment_block = false | ||
| end | ||
| end | ||
| end | ||
| else | ||
| print_status("No Tomcat home can be determined") |
| begin | ||
| xml = read_file(path).split("\n") | ||
| rescue | ||
| print_status("Cannot open " + path + " you probably don't have permission to open the file.") |
There was a problem hiding this comment.
print_status("Cannot open #{path} you probably don't have permission to open the file.")
| if user_files.size > 0 | ||
| user_files.each do |path| | ||
| if exist?(path) | ||
| print_status(path + " found") |
There was a problem hiding this comment.
print_status("#{path} found")
| if $username.size == 0 | ||
| print_status("No user credentials have been found") | ||
| end | ||
|
|
||
| i=0 | ||
| while i < $username.count | ||
| print_good("Username and password found: " + $username[i] + ":" + $password[i]) |
There was a problem hiding this comment.
Either this line should include the file path, or a header should be printed when you loop through the files so that we know which file the un/pass came from
|
In general, look through all of your strings. don't concatenate strings with a in ruby, anything in single quote is a string that doesn't have interpolation. So |
|
So the printing of the found files is better in windows, however I want to know which file has the un/pass, so we'd either want: or |
LinuxStill not working if you don't have read permissions on the file. |
|
|
@Opperkip its been almost 2 weeks, just wanna check in on the updates |
|
@h00die Did not have time to rewrite stuff yet. Hopefully I'll get to it tomorrow. |
|
@h00die Fixes are implemented. Linux shouldn't fail now. |
|
Linux w/ meterp works well. |
|
windows as well. |
Release NotesAdds a post module for gathering Apache Tomcat credentials. |
intentional? |
|
@Opperkip thanks for sticking with this one, you made a lot of changes. |
|
@busterb nope, case of the ...fridays?... |
tomcat_gather can be used to extract username and password combinations from linux and windows systems running tomcat.
Verification
List the steps needed to make sure this thing works
use post/multi/gather/tomcat_gatherset session Xrun