New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added tomcat_gather modules to Metasploit. #8010
Conversation
I have tomcat installed following this guide: https://www.digitalocean.com/community/tutorials/how-to-install-apache-tomcat-8-on-ubuntu-16-04 I attained a session via python meterpreter The module does not find the tomcat-users.xml:
|
I have windows and linux boxes with tomcat 6,7,8 all installed on them that i used for writing a bunch of the tomcat docs. I'll give it a run in the next day or two and report back |
no go for me as well, however I got a different error.
I tried using user and root permissions. |
so the interesting thing is it says |
i'll retry this on a meterpreter (maybe even mettle) on my linux box in the next few days |
end | ||
end | ||
|
||
port_path = cmd_exec('locate server.xml').split("\n") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
split assumes cmd_exec got an answer back.
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell /linux SSH tomcat:tomcat (192.168.2.118:22) 192.168.2.117:46871 -> 192.168.2.118:22 (192.168.2.118)
2 meterpreter x86/linux uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ tomcat 192.168.2.117:4433 -> 192.168.2.118:59204 (192.168.2.118)
msf auxiliary(ssh_login) >
msf auxiliary(ssh_login) >
msf auxiliary(ssh_login) > use post/multi/gather/tomcat_gather
msf post(tomcat_gather) > set session 2
session => 2
msf post(tomcat_gather) > run
[*] Unix OS detected
[-] Failed to open file: /etc/tomcat8/server.xml: core_channel_open: Operation failed: 13
[-] Post failed: NoMethodError undefined method `split' for nil:NilClass
[-] Call stack:
[-] /metasploit-framework/modules/post/multi/gather/tomcat_gather.rb:131:in `block in gathernix'
[-] /metasploit-framework/modules/post/multi/gather/tomcat_gather.rb:129:in `each'
[-] /metasploit-framework/modules/post/multi/gather/tomcat_gather.rb:129:in `gathernix'
[-] /metasploit-framework/modules/post/multi/gather/tomcat_gather.rb:150:in `run'
[*] Post module execution completed
port_path = cmd_exec('locate server.xml').split("\n") | ||
port_path.each do |path| | ||
if exist?(path) | ||
xml = read_file(path).split("\n") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This may be the other source of the issue. What does read_file return if permission denied? In my case, the user didn't have access to open the file, got permission denied, was that tested for?
end | ||
|
||
def run() | ||
if sysinfo['OS'].include? "Windows" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
still need a default case here, just in case. maybe try both win and nix? or error out and demand mettle/meterpreter assuming its a standard shell
My winXP box has 5.5, 6, 7, 8 all installed on it. While the module worked, it can get a little confusing which file is being accessed. Id recommend printing the full path instead of just the file name.
|
@Opperkip just wanted to check in on how updates were coming along for this module |
@h00die I've been implementing fixes for the Windows bit but I haven't gotten around to improving the linux part yet. |
Lemme know when its all done and i'll run it through my 2 VMs again |
@h00die You can try running them again |
|
||
if exist?(conf_path) | ||
print_status("tomcat-users.xml found") | ||
print_status(conf_path + "found!") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would change this to print_status("#{conf_path} found!")
that way you use templating and adds a space between the file and the word found.
@@ -85,61 +93,84 @@ def gatherwin() | |||
end | |||
end | |||
|
|||
port_path = tomcat_home.split('"')[1] + "\\conf\\server.xml" | |||
port_path = tomcat_home + "\\conf\\server.xml" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
port_path = "#{tomcat_home}\\conf\\server.xml"
elsif line.include? ("<!--") | ||
comment_block = true | ||
elsif line.include? ("-->") and comment_block | ||
comment_block = false | ||
end | ||
end | ||
end | ||
else | ||
print_status("No Tomcat home can be determined") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
replace "
with '
begin | ||
xml = read_file(path).split("\n") | ||
rescue | ||
print_status("Cannot open " + path + " you probably don't have permission to open the file.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
print_status("Cannot open #{path} you probably don't have permission to open the file.")
if user_files.size > 0 | ||
user_files.each do |path| | ||
if exist?(path) | ||
print_status(path + " found") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
print_status("#{path} found")
if $username.size == 0 | ||
print_status("No user credentials have been found") | ||
end | ||
|
||
i=0 | ||
while i < $username.count | ||
print_good("Username and password found: " + $username[i] + ":" + $password[i]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Either this line should include the file path, or a header should be printed when you loop through the files so that we know which file the un/pass came from
In general, look through all of your strings. don't concatenate strings with a in ruby, anything in single quote is a string that doesn't have interpolation. So |
So the printing of the found files is better in windows, however I want to know which file has the un/pass, so we'd either want:
or
|
LinuxStill not working if you don't have read permissions on the file.
|
|
@Opperkip its been almost 2 weeks, just wanna check in on the updates |
@h00die Did not have time to rewrite stuff yet. Hopefully I'll get to it tomorrow. |
@h00die Fixes are implemented. Linux shouldn't fail now. |
Linux w/ meterp works well.
|
windows as well.
|
Release NotesAdds a post module for gathering Apache Tomcat credentials. |
intentional? |
@Opperkip thanks for sticking with this one, you made a lot of changes. |
@busterb nope, case of the ...fridays?... |
tomcat_gather can be used to extract username and password combinations from linux and windows systems running tomcat.
Verification
List the steps needed to make sure this thing works
use post/multi/gather/tomcat_gather
set session X
run