Documentation of auxiliary scanner modules #9310
Conversation
|
|
||
| ## Scenarios | ||
|
|
||
| **Running the scanner** |
There was a problem hiding this comment.
Lets change this line to
### Example Windows 2003, and Windows 7 Targets
There was a problem hiding this comment.
Hey @h00die, I am supposed to make these changes in my fork, correct?
There was a problem hiding this comment.
Yup. When you push the changes to your branch, the PR will automatically update
| @@ -0,0 +1,76 @@ | |||
| ## Description | |||
|
|
|||
| The hidden scanner connects to a given range of IP addresses and try to locate any RPC services that are not listed in the Endpoint Mapper and determine if anonymous access to the service is allowed. | |||
There was a problem hiding this comment.
try to tries
determine to determines
| **Running the scanner** | ||
| ``` | ||
| msf > use auxiliary/scanner/dcerpc/endpoint_mapper | ||
| msf auxiliary(endpoint_mapper) > show options |
There was a problem hiding this comment.
since you show setting the options, no need to show a show options. You can save 10 lines here
| **Running the scanner** | ||
| ``` | ||
| msf > use auxiliary/scanner/dcerpc/hidden | ||
| msf auxiliary(hidden) > show options |
| msf auxiliary(hidden) > | ||
| ``` | ||
|
|
||
| As you can see, despite the simple setup, we still gathered some additional information about one of our targets. |
| 2. Do: ```set RHOSTS [IP]``` | ||
| 3. Do: ```run``` | ||
|
|
||
| Let the default dictionary included in Metasploit set, set our target, and let the scanner run. |
|
|
||
| ``` | ||
| > use auxiliary/scanner/http/dir_scanner | ||
| msf auxiliary(dir_scanner) > show options |
|
|
||
| ## Scenarios | ||
|
|
||
| **Running the scanner** |
There was a problem hiding this comment.
instead of this line, if you are scanning a specific box (like metasploitable 2) call that out here so someone could reproduce the same results. Typically we do this under triple # so that it makes a sub heading
| msf auxiliary(dir_scanner) > | ||
| ``` | ||
|
|
||
| A quick scan has turned up a number of directories on the target server that could be certainly investigated further. |
| msf auxiliary(dir_scanner) > | ||
| ``` | ||
|
|
||
| A quick scan has turned up a number of directories on the target server that could be certainly investigated further. |
There was a problem hiding this comment.
For modules like this which are generic enough, i like to include documentation on using other "industry standard" tools which could also be used. In this case, I think showing the equivalent command in dirb would be useful.
See https://github.com/h00die/metasploit-framework/blob/b2f9bbc43c100709009e8a6d6a2050a0fec02eb3/documentation/modules/auxiliary/scanner/x11/open_x11.md#confirming as an example
|
Not done with edits, but this is also why its nice to have the docs divided up between different PRs so its not overwhelming (to review, and then to edit the review comments). Plus we could land as soon as some are ready and not e held up by others. In general pretty good, you should be able to notice the pattern: remove options line, and the bold line under scenarios. If there is an industry standard tool, add a quick show of how to use that as another way of verifying results. I didn't mark the dcerpc ones, but nmap most likely also has an equivalent. See https://github.com/h00die/metasploit-framework/blob/b2f9bbc43c100709009e8a6d6a2050a0fec02eb3/documentation/modules/auxiliary/scanner/x11/open_x11.md#confirming as an example. I'll get some time later to review some more, but feel free if you get time to edit those other docs before i get to them. Thanks for all these, big help!!!! |
|
Typically also you'll want to make a new branch in your own repo instead of using 'metasploit-framework', just a tip for the future! |
| [*] Scanned 55 of 55 hosts (100% complete) | ||
| [*] Auxiliary module execution completed | ||
| msf auxiliary(endpoint_mapper) > | ||
| ``` |
There was a problem hiding this comment.
This would be another good candidate for the 'verify' section of showing the equivalent with nmap: https://nmap.org/nsedoc/scripts/msrpc-enum.html
| [*] Scanned 256 of 256 hosts (100% complete) | ||
| [*] Auxiliary module execution completed | ||
| msf auxiliary(cert) > | ||
| ``` |
There was a problem hiding this comment.
Another good candidate for a 'verify' section: https://nmap.org/nsedoc/scripts/ssl-cert.html
| @@ -0,0 +1,66 @@ | |||
| ## Description | |||
|
|
|||
| The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. More info about this vulnerability can be found [here](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1535). | |||
There was a problem hiding this comment.
change "/protected/" to `/protected/`
|
|
||
| The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. More info about this vulnerability can be found [here](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1535). | ||
|
|
||
| CVE: CVE-2009-1535 |
| @@ -0,0 +1,66 @@ | |||
| ## Description | |||
|
|
|||
| The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. More info about this vulnerability can be found [here](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1535). | |||
There was a problem hiding this comment.
Change "here" for the link to be the CVE name, i think that will look slightly better.
|
|
||
| ## Scenarios | ||
|
|
||
| **Running the scanner** |
There was a problem hiding this comment.
replace with version of OS that was scanned
| **Running the scanner** | ||
| ``` | ||
| msf > use auxiliary/scanner/smb/smb2 | ||
| msf auxiliary(smb2) > show options |
|
|
||
| ## Scenarios | ||
|
|
||
| **Running the scanner** |
There was a problem hiding this comment.
Replace with "### Uncredentialed"
| [*] Auxiliary module execution completed | ||
| msf auxiliary(smb_enumshares) > | ||
| ``` | ||
|
|
| [*] Scanned 16 of 16 hosts (100% complete) | ||
| [*] Auxiliary module execution completed | ||
| msf auxiliary(smb_enumshares) > | ||
| ``` |
There was a problem hiding this comment.
good candidate for verify: https://nmap.org/nsedoc/scripts/smb-enum-shares.html
|
ok, all done first pass. This will shrink the PR a little with all the "options" gone. |
|
Hi @h00die, I appreciate all the review effort by you. I will do the required changes in some days and let you know at the earliest. |
|
Were you done updating everything, or should I wait on this. |
|
A few more left, will be done by next week. |
|
No need to mark each done individually. When you commit the change the comment will get hidden implying you fixed it. Just let me know when they're all done |
|
@vishalkg just wanted to check in on how it was going. I know this was a BIG undertaking, so it can take a while to get things all patched up. To save some time, you can put all the changes into one commit, no need to do a commit per edit. That may also help. |
|
@vishalkg just checking in again, its been over a month. I don't want to see all this work go to waste, so I may start doing some of the touchups to get it landed, but just wanted to check in again first. |
|
Had a few edits I went ahead and just did myself to go ahead and get this landed: c56d796 and 15a29a1 There are still a few places I think the docs could be expanded to show how other tools can verify the data, however this has been too long to not get landed. If you get time to do any more, send them in smaller batches and we should be able to get it all landed quicker. Thanks for all the work, these docs are great!!!! |
Release NotesThis PR adds a bunch of new module docs for aux scanner modules. |
Following modules have been documented:
http:
smb
mysql
msmsql
discovery
dcerpc