New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arachni plugin #8618

Open
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
4 participants
@brandonprry
Contributor

brandonprry commented Jun 26, 2017

This plugin adds support for driving an Arachni scan and saving the results in the Metasploit database. However, it seems that web vulns aren't displayed in the vulns table in msfconsole. This might be a bug, I'm not sure, but I vaguely remember having the same issue when developing the sqlmap plugin.

msf > load arachni
[*] Arachni plugin loaded.
[*] Successfully loaded plugin: Arachni
msf > arachni_connect
msf > arachni_scan http://demo.testfire.net/default.aspx "xss*"
msf > arachni_scanlog
[+] 1. Cross-Site Scripting (XSS)
[+] Scan running: true
msf > arachni_scanlog
[+] 1. Cross-Site Scripting (XSS)
[+] 2. Cross-Site Scripting (XSS) in HTML tag
[+] 3. Cross-Site Scripting (XSS)
[+] Scan running: false
msf > arachni_savelog
msf > vulns
msf > web_vulns
[-] Unknown command: web_vulns.
msf > 

I am probably going to make arachni_scanlog print a Rex::Table, but I wanted to ask about web vulns being displayed in the vulns table.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Jun 26, 2017

Contributor

Oh, The arachni classes in Rex::Proto were shamelessly stolen from the arachni-rpc-pure Github repo, but these are license with 2- or 3-clause BSD, which I think is compatible with Metasploit.

Contributor

brandonprry commented Jun 26, 2017

Oh, The arachni classes in Rex::Proto were shamelessly stolen from the arachni-rpc-pure Github repo, but these are license with 2- or 3-clause BSD, which I think is compatible with Metasploit.

@sempervictus

Awesome! Thank you.
Big fan of the proper separation of plugin CRUD and library components for interface. Would even suggest pushing a few more pieces to the client such as the dispatcher and instance init.

Going to try and put it through its paces tomorrow, run some functional tests and see how it works with scan grids.

Only real issue i see on first pass is the sockets use here, admittedly as i'm on a crusade to eliminate all ...Socket.new calls in the codebase (pivot all the things!).

Thanks again

OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
end
@socket = OpenSSL::SSL::SSLSocket.new(

This comment has been minimized.

@sempervictus

sempervictus Jun 27, 2017

Contributor

Would probably make sense to use Rex::Socket::TcpSsl for this to allow us to access Arachni installs on the other side of a compromised host (for instance if deploying the scanner as a form of payload for rapid internal web scans of the environment).
Forcing TLS validation may also be a problem in some cases, though optional validation is definitely a good thing (even a good default, just suggesting the option of NO_VERIFY).
Rex Socket SSL client certificate support may help a bit for this.

@sempervictus

sempervictus Jun 27, 2017

Contributor

Would probably make sense to use Rex::Socket::TcpSsl for this to allow us to access Arachni installs on the other side of a compromised host (for instance if deploying the scanner as a form of payload for rapid internal web scans of the environment).
Forcing TLS validation may also be a problem in some cases, though optional validation is definitely a good thing (even a good default, just suggesting the option of NO_VERIFY).
Rex Socket SSL client certificate support may help a bit for this.

end
def receive_object
while data = @socket.sysread( 99999 )

This comment has been minimized.

@sempervictus

sempervictus Jun 27, 2017

Contributor

May want to comment this process for intent and functionality - what's being recv'd, unpacked, and unserialized.

@sempervictus

sempervictus Jun 27, 2017

Contributor

May want to comment this process for intent and functionality - what's being recv'd, unpacked, and unserialized.

begin
Zlib::Inflate.inflate string
rescue Zlib::DataError
string

This comment has been minimized.

@sempervictus

sempervictus Jun 27, 2017

Contributor

Any danger in potentially returning incompletely received binary data here?

@sempervictus

sempervictus Jun 27, 2017

Contributor

Any danger in potentially returning incompletely received binary data here?

This comment has been minimized.

@brandonprry

brandonprry Jun 27, 2017

Contributor

Potentially, I suppose, but I'm not sure of a better way to handle the situation. This is functionally equivalent of checking the first few header bytes to determine if the string is actually zlib-compressed, and, if not, just return the data as is.

@brandonprry

brandonprry Jun 27, 2017

Contributor

Potentially, I suppose, but I'm not sure of a better way to handle the situation. This is functionally equivalent of checking the first few header bytes to determine if the string is actually zlib-compressed, and, if not, just return the data as is.

This comment has been minimized.

@brandonprry

brandonprry Jun 27, 2017

Contributor

You can't know if the data is zlib compressed without testing it.

@brandonprry

brandonprry Jun 27, 2017

Contributor

You can't know if the data is zlib compressed without testing it.

}
end
def cmd_arachni_connect(*args)

This comment has been minimized.

@sempervictus

sempervictus Jun 27, 2017

Contributor

If the localhost isnt the Arachni master, this approach blows up:

[-] Error while running command arachni_connect: Connection refused - connect(2) for "127.0.0.1" port 7331

Call stack:
/opt/metasploit4/msf4/lib/rex/proto/arachni/connection.rb:51:in `initialize'
/opt/metasploit4/msf4/lib/rex/proto/arachni/connection.rb:51:in `new'
/opt/metasploit4/msf4/lib/rex/proto/arachni/connection.rb:51:in `initialize'
/opt/metasploit4/msf4/lib/rex/proto/arachni/client.rb:62:in `new'
/opt/metasploit4/msf4/lib/rex/proto/arachni/client.rb:62:in `with_connection'
/opt/metasploit4/msf4/lib/rex/proto/arachni/client.rb:53:in `call'
/opt/metasploit4/msf4/plugins/arachni.rb:28:in `cmd_arachni_connect'
@sempervictus

sempervictus Jun 27, 2017

Contributor

If the localhost isnt the Arachni master, this approach blows up:

[-] Error while running command arachni_connect: Connection refused - connect(2) for "127.0.0.1" port 7331

Call stack:
/opt/metasploit4/msf4/lib/rex/proto/arachni/connection.rb:51:in `initialize'
/opt/metasploit4/msf4/lib/rex/proto/arachni/connection.rb:51:in `new'
/opt/metasploit4/msf4/lib/rex/proto/arachni/connection.rb:51:in `initialize'
/opt/metasploit4/msf4/lib/rex/proto/arachni/client.rb:62:in `new'
/opt/metasploit4/msf4/lib/rex/proto/arachni/client.rb:62:in `with_connection'
/opt/metasploit4/msf4/lib/rex/proto/arachni/client.rb:53:in `call'
/opt/metasploit4/msf4/plugins/arachni.rb:28:in `cmd_arachni_connect'
)
instance_info = @dispatcher.call('dispatcher.dispatch', Rex::Text.rand_text_alpha(8))
@instance = Rex::Proto::Arachni::Client.new(

This comment has been minimized.

@sempervictus

sempervictus Jun 27, 2017

Contributor

See above regarding remote masters

@sempervictus

sempervictus Jun 27, 2017

Contributor

See above regarding remote masters

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Jun 27, 2017

Contributor

This won't work well with scan grids. I don't provide much power in managing multiple instances. You can't kick off multiple scans and track them, only one at a time. I wanted to keep it simple and easy to use.

Contributor

brandonprry commented Jun 27, 2017

This won't work well with scan grids. I don't provide much power in managing multiple instances. You can't kick off multiple scans and track them, only one at a time. I wanted to keep it simple and easy to use.

@pbarry-r7

This comment has been minimized.

Show comment
Hide comment
@pbarry-r7

pbarry-r7 Jun 30, 2017

Contributor

Hey @bperry-r7, you might try loading the wmap plugin (load wmap) and see if the web vulns show up with its wmap_vulns -l command:

msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > wmap_vulns
[*] Usage: wmap_vulns [options]
	-h 		Display this help text
	-l 		Display web vulns table

msf > wmap_vulns -l
[*] + [10.0.0.1] (mysite.info): imported //xmlrpc.php
[*] 	The GHOST Vulnerability 
[*] 	POST <empty response>
[*] + [10.0.0.1] (mysite.info): imported /
[*] 	WordPress Cross-Site Scripting Vulnerability 
[*] 	GET <empty response>
[*] + [10.0.0.1] (mysite.info): imported /
[*] 	WordPress Multiple Cross-Site Scripting Vulnerabilities 
[*] 	GET <empty response>
.
.
.
Contributor

pbarry-r7 commented Jun 30, 2017

Hey @bperry-r7, you might try loading the wmap plugin (load wmap) and see if the web vulns show up with its wmap_vulns -l command:

msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > wmap_vulns
[*] Usage: wmap_vulns [options]
	-h 		Display this help text
	-l 		Display web vulns table

msf > wmap_vulns -l
[*] + [10.0.0.1] (mysite.info): imported //xmlrpc.php
[*] 	The GHOST Vulnerability 
[*] 	POST <empty response>
[*] + [10.0.0.1] (mysite.info): imported /
[*] 	WordPress Cross-Site Scripting Vulnerability 
[*] 	GET <empty response>
[*] + [10.0.0.1] (mysite.info): imported /
[*] 	WordPress Multiple Cross-Site Scripting Vulnerabilities 
[*] 	GET <empty response>
.
.
.
@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Jul 1, 2017

Contributor

You're right, that works to display the vulns in the database. Thanks! They should also appear in the community/pro interface regardless (as long as they are in the same workspace).

Contributor

brandonprry commented Jul 1, 2017

You're right, that works to display the vulns in the database. Thanks! They should also appear in the community/pro interface regardless (as long as they are in the same workspace).

@busterb busterb added the feature label Jul 7, 2017

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Jul 11, 2017

Contributor

Unfortunately I've not had time to wrap this up. I will soon though.

Contributor

brandonprry commented Jul 11, 2017

Unfortunately I've not had time to wrap this up. I will soon though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment