New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Documentation of auxiliary scanner modules #9310
Conversation
|
||
## Scenarios | ||
|
||
**Running the scanner** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lets change this line to
### Example Windows 2003, and Windows 7 Targets
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @h00die, I am supposed to make these changes in my fork, correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup. When you push the changes to your branch, the PR will automatically update
@@ -0,0 +1,76 @@ | |||
## Description | |||
|
|||
The hidden scanner connects to a given range of IP addresses and try to locate any RPC services that are not listed in the Endpoint Mapper and determine if anonymous access to the service is allowed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
try to tries
determine to determines
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
**Running the scanner** | ||
``` | ||
msf > use auxiliary/scanner/dcerpc/endpoint_mapper | ||
msf auxiliary(endpoint_mapper) > show options |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since you show setting the options, no need to show a show options
. You can save 10 lines here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
**Running the scanner** | ||
``` | ||
msf > use auxiliary/scanner/dcerpc/hidden | ||
msf auxiliary(hidden) > show options |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need for show options
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
msf auxiliary(hidden) > | ||
``` | ||
|
||
As you can see, despite the simple setup, we still gathered some additional information about one of our targets. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this line can be removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
2. Do: ```set RHOSTS [IP]``` | ||
3. Do: ```run``` | ||
|
||
Let the default dictionary included in Metasploit set, set our target, and let the scanner run. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this line
|
||
``` | ||
> use auxiliary/scanner/http/dir_scanner | ||
msf auxiliary(dir_scanner) > show options |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove
|
||
## Scenarios | ||
|
||
**Running the scanner** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instead of this line, if you are scanning a specific box (like metasploitable 2) call that out here so someone could reproduce the same results. Typically we do this under triple # so that it makes a sub heading
msf auxiliary(dir_scanner) > | ||
``` | ||
|
||
A quick scan has turned up a number of directories on the target server that could be certainly investigated further. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove
msf auxiliary(dir_scanner) > | ||
``` | ||
|
||
A quick scan has turned up a number of directories on the target server that could be certainly investigated further. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For modules like this which are generic enough, i like to include documentation on using other "industry standard" tools which could also be used. In this case, I think showing the equivalent command in dirb would be useful.
See https://github.com/h00die/metasploit-framework/blob/b2f9bbc43c100709009e8a6d6a2050a0fec02eb3/documentation/modules/auxiliary/scanner/x11/open_x11.md#confirming as an example
Not done with edits, but this is also why its nice to have the docs divided up between different PRs so its not overwhelming (to review, and then to edit the review comments). Plus we could land as soon as some are ready and not e held up by others. In general pretty good, you should be able to notice the pattern: remove options line, and the bold line under scenarios. If there is an industry standard tool, add a quick show of how to use that as another way of verifying results. I didn't mark the dcerpc ones, but nmap most likely also has an equivalent. See https://github.com/h00die/metasploit-framework/blob/b2f9bbc43c100709009e8a6d6a2050a0fec02eb3/documentation/modules/auxiliary/scanner/x11/open_x11.md#confirming as an example. I'll get some time later to review some more, but feel free if you get time to edit those other docs before i get to them. Thanks for all these, big help!!!! |
Typically also you'll want to make a new branch in your own repo instead of using 'metasploit-framework', just a tip for the future! |
[*] Scanned 55 of 55 hosts (100% complete) | ||
[*] Auxiliary module execution completed | ||
msf auxiliary(endpoint_mapper) > | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would be another good candidate for the 'verify' section of showing the equivalent with nmap: https://nmap.org/nsedoc/scripts/msrpc-enum.html
[*] Scanned 256 of 256 hosts (100% complete) | ||
[*] Auxiliary module execution completed | ||
msf auxiliary(cert) > | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another good candidate for a 'verify' section: https://nmap.org/nsedoc/scripts/ssl-cert.html
@@ -0,0 +1,66 @@ | |||
## Description | |||
|
|||
The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. More info about this vulnerability can be found [here](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1535). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change "/protected/" to `/protected/`
|
||
The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. More info about this vulnerability can be found [here](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1535). | ||
|
||
CVE: CVE-2009-1535 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can be removed
@@ -0,0 +1,66 @@ | |||
## Description | |||
|
|||
The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. More info about this vulnerability can be found [here](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1535). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change "here" for the link to be the CVE name, i think that will look slightly better.
|
||
## Scenarios | ||
|
||
**Running the scanner** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
replace with version of OS that was scanned
**Running the scanner** | ||
``` | ||
msf > use auxiliary/scanner/smb/smb2 | ||
msf auxiliary(smb2) > show options |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
|
||
## Scenarios | ||
|
||
**Running the scanner** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace with "### Uncredentialed"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
[*] Auxiliary module execution completed | ||
msf auxiliary(smb_enumshares) > | ||
``` | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add "### Credentialed"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
[*] Scanned 16 of 16 hosts (100% complete) | ||
[*] Auxiliary module execution completed | ||
msf auxiliary(smb_enumshares) > | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good candidate for verify: https://nmap.org/nsedoc/scripts/smb-enum-shares.html
ok, all done first pass. This will shrink the PR a little with all the "options" gone. |
Hi @h00die, I appreciate all the review effort by you. I will do the required changes in some days and let you know at the earliest. |
Were you done updating everything, or should I wait on this. |
A few more left, will be done by next week. |
No need to mark each done individually. When you commit the change the comment will get hidden implying you fixed it. Just let me know when they're all done |
@vishalkg just wanted to check in on how it was going. I know this was a BIG undertaking, so it can take a while to get things all patched up. To save some time, you can put all the changes into one commit, no need to do a commit per edit. That may also help. |
@vishalkg just checking in again, its been over a month. I don't want to see all this work go to waste, so I may start doing some of the touchups to get it landed, but just wanted to check in again first. |
Had a few edits I went ahead and just did myself to go ahead and get this landed: c56d796 and 15a29a1 There are still a few places I think the docs could be expanded to show how other tools can verify the data, however this has been too long to not get landed. If you get time to do any more, send them in smaller batches and we should be able to get it all landed quicker. Thanks for all the work, these docs are great!!!! |
Release NotesThis PR adds a bunch of new module docs for aux scanner modules. |
Following modules have been documented:
http:
smb
mysql
msmsql
discovery
dcerpc