Add ye olde NIS ypserv map dumper

[wvu]

@sho-luv @aushack @h00die

---

• Set up NIS as per https://help.ubuntu.com/community/SettingUpNISHowTo
• use auxiliary/gather/nis_ypserv_map
• set rhost to your NIS server
• set domain to your NIS domain
• set map if desired
• run
• See the map printed to screen
• See the map stored in loot

---

msf auxiliary(gather/nis_ypserv_map) > run

[+] 192.168.0.159:111 - Dumping map passwd.byname on domain gesellschaft:
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
ubuntu:$6$LXFAVGTO$yiCXi1KjLynOrapuhJE7tKnvdwknDMKiKM7Z8ZB19ht6CHmsS.CbUTm8q0cy5fFHEqA.Sg4Acl.0UtY.Y0JNE1:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
games:*:5:60:games:/usr/games:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
uuidd:*:108:112::/run/uuidd:/bin/false
dnsmasq:*:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
root:*:0:0:root:/root:/bin/bash
sshd:*:110:65534::/var/run/sshd:/usr/sbin/nologin
systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
messagebus:*:107:111::/var/run/dbus:/bin/false
_apt:*:105:65534::/nonexistent:/bin/false
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
syslog:*:104:108::/home/syslog:/bin/false
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
pollinate:*:111:1::/var/cache/pollinate:/bin/false
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
lxd:*:106:65534::/var/lib/lxd/:/bin/false

[*] Auxiliary module execution completed
msf auxiliary(gather/nis_ypserv_map) > loot

Loot
====

host           service  type           name  content     info  path
----           -------  ----           ----  -------     ----  ----
192.168.0.159           passwd.byname        text/plain        /home/wvu/.msf4/loot/20180103222440_default_192.168.0.159_passwd.byname_810619.txt

msf auxiliary(gather/nis_ypserv_map) >

[bcoles]

To assist in your goal to find a more elegant solution, you can rescue from the method. Saves 2 lines and about 50 bytes of indentation whitespace.

  def parse_map(res)
    map = {}

    # We steal TIMEOUT from the mixin
    Timeout.timeout(datastore['TIMEOUT']) do
      loop do
        begin
          # XXX: res is modified in place
          _, status, value, key = Rex::Encoder::XDR.decode!(
            res,
            Integer, # More: Yes
            Integer, # Status: YP_TRUE (1)
            String,  # Value: [redacted]
            String   # Key: [redacted]
          )

          map[key] = value if status == 1
        rescue Rex::ArgumentError
          vprint_status("Finished XDR decoding at #{res.inspect}")
          return map
        end
      end
    end

    map
  rescue Timeout::Error
    print_error('XDR decoding timed out (try increasing TIMEOUT?)')
    return
  end

[bcoles]

You may wish to rescue these errors:

RPC with config/local_only = boolean: true :

[-] 172.16.191.139:111 - Auxiliary failed: Rex::ArgumentError An invalid argument was specified. XDR: Too little data to decode (0)
[-] 172.16.191.139:111 - Call stack:
[-] 172.16.191.139:111 -   /usr/local/rvm/gems/ruby-2.3.0/gems/rex-encoder-0.1.4/lib/rex/encoder/xdr.rb:20:in `decode_int!'
[-] 172.16.191.139:111 -   /usr/local/rvm/gems/ruby-2.3.0/gems/rex-encoder-0.1.4/lib/rex/encoder/xdr.rb:101:in `block in decode!'
[-] 172.16.191.139:111 -   /usr/local/rvm/gems/ruby-2.3.0/gems/rex-encoder-0.1.4/lib/rex/encoder/xdr.rb:92:in `collect'
[-] 172.16.191.139:111 -   /usr/local/rvm/gems/ruby-2.3.0/gems/rex-encoder-0.1.4/lib/rex/encoder/xdr.rb:92:in `decode!'
[-] 172.16.191.139:111 -   /pentest/exploit/metasploit-framework/lib/msf/core/exploit/sunrpc.rb:73:in `sunrpc_create'
[-] 172.16.191.139:111 -   /pentest/exploit/metasploit-framework/modules/auxiliary/gather/nis_ypserv_map.rb:51:in `run'
[*] Auxiliary module execution completed

---

RPC with config/local_only = boolean: false but no NIS service :

[-] 172.16.191.139:111 - Auxiliary failed: Rex::Proto::SunRPC::RPCError 172.16.191.139:111 - SunRPC - Portmap request failed: Program not available
[-] 172.16.191.139:111 - Call stack:
[-] 172.16.191.139:111 -   /pentest/exploit/metasploit-framework/lib/msf/core/exploit/sunrpc.rb:79:in `sunrpc_create'
[-] 172.16.191.139:111 -   /pentest/exploit/metasploit-framework/modules/auxiliary/gather/nis_ypserv_map.rb:51:in `run'
[*] Auxiliary module execution completed

[bcoles]

msf auxiliary(gather/nis_ypserv_map) > run

[+] 172.16.191.139:111 - Dumping map passwd.byname on domain local.wvu:
webservd:*LK*:80:80:WebServer Reserved UID:/:
postgres:NP:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
openldap:*LK*:75:75:OpenLDAP User:/:
zfssnap:NP:51:12:ZFS Automatic Snapshots Reserved UID:/:/usr/bin/pfsh
svctag:*LK*:95:12:Service Tag UID:/:
nobody:*LK*:60001:60001:NFS Anonymous Access User:/:
netadm:*LK*:16:65:Network Admin:/:
daemon:NP:1:1::/:
nuucp:NP:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
mysql:NP:70:70:MySQL Reserved UID:/:
root:$5$ISGtuA0/$aKkY4WY6CHspmqgHHOz/gxeX4sVrsi2eVjShLwk7Fr/:0:0:Super-User:/root:/usr/bin/bash
jack:$5$4umPcfHK$meoYNatG9rgQmG.FUXHiSI8Q38v79/GvfUb7ulV1Wh2:100:10:jack:/home/jack:/usr/bin/bash
gdm:*LK*:50:50:GDM Reserved UID:/var/lib/gdm:
adm:NP:4:4:Admin:/var/adm:
noaccess:*LK*:60002:60002:No Access User:/:
unknown:*LK*:96:96:Unknown Remote UID:/:
pkg5srv:*LK*:97:97:pkg(5) server UID:/:
nobody4:*LK*:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
netcfg:*LK*:17:65:Network Configuration Admin:/:
aiuser:*LK*:61:61:AI User:/:
smmsp:NP:25:25:SendMail Message Submission Program:/:
dladm:*LK*:15:65:Datalink Admin:/:
uucp:NP:5:5:uucp Admin:/usr/lib/uucp:
upnp:NP:52:52:UPnP Server Reserved UID:/var/coherence:/bin/ksh
xvm:*LK*:60:60:xVM User:/:
sys:NP:3:3::/:
bin:NP:2:2::/usr/bin:
lp:NP:71:8:Line Printer Admin:/:

[*] Auxiliary module execution completed

---

Seems a TIMEOUT of 5 may be too small.

msf auxiliary(gather/nis_ypserv_map) > set map hosts.byname
map => hosts.byname
msf auxiliary(gather/nis_ypserv_map) > run

[-] 172.16.191.139:111 - Auxiliary triggered a timeout exception
[*] Auxiliary module execution completed
msf auxiliary(gather/nis_ypserv_map) > set timeout
timeout => 5
msf auxiliary(gather/nis_ypserv_map) > set timeout 10
timeout => 10
rmsf auxiliary(gather/nis_ypserv_map) > run

[+] 172.16.191.139:111 - Dumping map hosts.byname on domain local.wvu:
172.16.191.139	nis-master
127.0.0.1	solaris localhost loghost
127.0.0.1	solaris localhost loghost
127.0.0.1	solaris localhost loghost

[*] Auxiliary module execution completed

---

msf auxiliary(gather/nis_ypserv_map) > set map mail.aliases
map => mail.aliases
msf auxiliary(gather/nis_ypserv_map) > run

[+] 172.16.191.139:111 - Dumping map mail.aliases on domain local.wvu:
postmaster
root
root
root
root
/dev/null
root
root
root
root
root
root
@

[*] Auxiliary module execution completed

[bcoles]

If you're keen for a game of code golf, this would save a variable deceleration and a couple of lines, while maintaining readability:

  def nick_to_map(nick)
    {
      'ethers'    => 'ethers.byname',
      'aliases'   => 'mail.aliases',
      'services'  => 'services.byname',
      'protocols' => 'protocols.bynumber',
      'hosts'     => 'hosts.byname',
      'networks'  => 'networks.byaddr',
      'group'     => 'group.byname',
      'passwd'    => 'passwd.byname'
    }[nick] || nick
  end

[wvu]

Bummer I missed Rex::Proto::SunRPC::RPCError. Should have looked at the library more closely. I've improved error handling in there as a result. Still kinda janky, but I'm not going to be able to rewrite it yet.

[wvu]

I was keeping with the documentation for ypcat, which calls it a translation table. We can do without that bit, though.

[wvu]

Do we care to make this a scanner? I beefed up the error handling already.

[bcoles]

I don't see why this couldn't be a scanner. It would be trivial to bail out upon connection failure or Program not found.

Is there an easy way to disclose the domain automatically ?

[wvu]

I didn't think it was particularly conducive to a scanner due to the requirement of knowing the NIS domain name, which is kinda like a password before security was cool.

[wvu]

Yes, you can disclose the domain name through bootparam, but that's something else I'm working on at the moment.

[wvu]

But it has to be running on the same server ypserv is on. So it's a big maybe. Probably best suited for a gather module.

[bcoles]

Yeah I guess leave it as a gather module, unless you can integrate domain discovery.

[wvu]

I know SunRPC doesn't get much love, but I still see things like NFS all over the place. Our implementation isn't terribly robust or used by many modules. I'd like to change that.

[bcoles]

I have a couple Solaris VMs for testing if need be.

[wvu]

For the longest time, I wanted to see an RPC grinder in Metasploit, but I think Nmap's rpc-grind script will be superior in every way. We can play with the more service-oriented stuff, then.

Edit: superior because port scanning is a necessity, and feeding a list of open ports to Metasploit is lame.

[busterb]

Looks good to me, OK.

[wvu]

Release Notes

This adds a module to dump a specified map from an NIS database. Yes, that NIS.

[aushack]

@wvu-r7 hah well done 👍 haven't seen that in awhile.