New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add NIS bootparamd domain name disclosure #9402

Merged
merged 6 commits into from Jan 15, 2018

Conversation

Projects
None yet
3 participants
@wvu-r7
Contributor

wvu-r7 commented Jan 12, 2018

  • Set up NIS as per #9368
  • Install bootparamd however your OS provides it
  • Add a client to the bootparams file, which is usually at /etc/bootparams
  • Add the client to /etc/hosts if it isn't already resolvable
  • use auxiliary/gather/nis_bootparamd_domain
  • set rhost to the server running bootparamd
  • set client to the address of the client you added to bootparams earlier
  • run
  • See the NIS domain name printed to screen
  • See the NIS domain name stored as a note
msf auxiliary(gather/nis_bootparamd_domain) > run

[+] 192.168.33.10:111 - NIS domain name for host ubuntu-xenial (192.168.33.10) is gesellschaft
[*] Auxiliary module execution completed
msf auxiliary(gather/nis_bootparamd_domain) > notes
[*] Time: 2018-01-12 23:52:50 UTC Note: host=192.168.33.10 port=111 protocol=udp type=nis.bootparamd.domain data="NIS domain name for host ubuntu-xenial (192.168.33.10) is gesellschaft"
msf auxiliary(gather/nis_bootparamd_domain) >

wvu-r7 added some commits Jan 12, 2018

Rescue Rex::Proto::SunRPC::RPCTimeout
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Jan 13, 2018

Contributor

Tested on Solaris 11.1:

msf auxiliary(gather/nis_bootparamd_domain) > set client 172.16.191.244
client => 172.16.191.244
msf auxiliary(gather/nis_bootparamd_domain) > run

[+] 172.16.191.139:111 - NIS domain name for host asdf (172.16.191.244) is local.wvu
[*] Auxiliary module execution completed
Contributor

bcoles commented Jan 13, 2018

Tested on Solaris 11.1:

msf auxiliary(gather/nis_bootparamd_domain) > set client 172.16.191.244
client => 172.16.191.244
msf auxiliary(gather/nis_bootparamd_domain) > run

[+] 172.16.191.139:111 - NIS domain name for host asdf (172.16.191.244) is local.wvu
[*] Auxiliary module execution completed
@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Jan 13, 2018

Contributor

I'll make the changes tomorrow. Thanks for the review!

Contributor

wvu-r7 commented Jan 13, 2018

I'll make the changes tomorrow. Thanks for the review!

@wvu-r7 wvu-r7 added the delayed label Jan 13, 2018

wvu-r7 added some commits Jan 13, 2018

Update module after feedback
Looks like I can't decide on certain style preferences.

Not keen on using blank?, but I've used it before. Time to commit?

Also, fail_with has been fixed for aux and post since #8643. Use it!
Update nis_ypserv_map after bootparam feedback
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.

@wvu-r7 wvu-r7 removed the delayed label Jan 13, 2018

@bcoles

bcoles approved these changes Jan 14, 2018

Address second round of feedback
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.

Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
@bcoles

bcoles approved these changes Jan 14, 2018

@wvu-r7 wvu-r7 self-assigned this Jan 15, 2018

@wvu-r7 wvu-r7 closed this Jan 15, 2018

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/nis branch Jan 15, 2018

@wvu-r7 wvu-r7 merged commit 736d438 into rapid7:master Jan 15, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request Jan 15, 2018

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Jan 15, 2018

Contributor

Release Notes

This adds a module to disclose the NIS domain name from a server running bootparamd. It is meant to be used in conjunction with auxiliary/gather/nis_ypserv_map where applicable.

Contributor

wvu-r7 commented Jan 15, 2018

Release Notes

This adds a module to disclose the NIS domain name from a server running bootparamd. It is meant to be used in conjunction with auxiliary/gather/nis_ypserv_map where applicable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment