Knowledge Base

Ask A Question

Questions

0

Metasploit's Exploit results

Hello, I'm new to Metasploit - I tried the Metasploit Pro (free trial) and the msfconsole in kali. Just wanted to ask or get clarification on certain exploitation results that metasploit has provided on my test target. For the exploit I just uploaded the vulnerabilities identified by Nessus in Metasploit. After that, I runned the default exploit in Metasploit. Here are a few details of the results: 1*. [+] [2017.12.27-10:28:35] Workspace:MHC 2017 VAPT - JMF Progress:710/2310 (30%) [706/2305] xxx.xx.xx.x:80 - TP-Link SC2020n Authenticated Telnet Injection [*] [2017.12.27-10:28:36] [0706] xxxxx:80 - Exploiting [*] [2017.12.27-10:28:36] [0706] xxxxxx:80 - Trying to login with admin : admin [+] [2017.12.27-10:28:36] [0706] xxxxx:80 - Successful login admin : admin [*] [2017.12.27-10:28:36] [0706] xxxxxx:80 - Telnet Port: 62116 [*] [2017.12.27-10:28:36] [0706] xxxxxx:80 - Trying to establish telnet connection... [-] [2017.12.27-10:28:36] [0706] xxxxxx:80 - Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (xxxxx:62116). TP-Link SC2020n Authenticated Telnet Injection https://www.rapid7.com/db/modules/exploit/linux/http/tp_link_sc2020n_authenticated_telnet_injection *So for this exploit my concerns are: a. Port 80 is open per nmap scan, but Nessus did not flag it as vulnerable, so why was it exploited by Metasploit? b. I tried to login remotely to the target IP - but was not able to gain access using the credentials used by Metasploit to gain access (admin:admin) - I put it as username: admin and pw admin. Why was I not able to login? c. What could I have done to successfully exploit the target? 2**[+] [2017.12.27-10:10:07] Workspace:MHC 2017 VAPT - JMF Progress:38/2310 (1%) [34/2305] xxxxxxx:21 - Open-FTPD 1.2 Arbitrary File Upload [*] [2017.12.27-10:10:08] [0034] Started reverse TCP handler on 0.0.0.0:1040 [*] [2017.12.27-10:10:09] [0034] xxxx:21 - Server started. [*] [2017.12.27-10:10:10] [0034] xxxxx:21 - Trying to upload ndJDXciFuXF.exe [*] [2017.12.27-10:10:10] [0034] xxxxxx:21 - Connecting to FTP server xxxxxx:21... [*] [2017.12.27-10:10:10] [0034] xxxxxxx:21 - Connected to target FTP server. [*] [2017.12.27-10:10:10] [0034] xxxxxx:21 - Set binary mode [*] [2017.12.27-10:10:10] [0034] xxxxxxxxx:21 - Set active mode "10,111,28,37,4,17" [+] [2017.12.27-10:10:10] [0034] xxxxxxx:21 - Upload successful [*] [2017.12.27-10:10:12] [0034] xxxxxxxxx:21 - Trying to upload AQaAFAtyoj.mof [*] [2017.12.27-10:10:12] [0034] xxxxxx:21 - Connecting to FTP server xxxxxxx:21... [*] [2017.12.27-10:10:12] [0034] xxxxxxxxxx:21 - Connected to target FTP server. [*] [2017.12.27-10:10:12] [0034] xxxxxxxxxx:21 - Set binary mode [*] [2017.12.27-10:10:12] [0034] xxxxxxxx:21 - Set active mode "10,111,28,37,4,17" [+] [2017.12.27-10:10:12] [0034] xxxxxxxx:21 - Upload successful Open-FTPD 1.2 Arbitrary File Upload https://www.rapid7.com/db/modules/exploit/windows/ftp/open_ftpd_wbem **same as the first one, this was not flagged by Nessus. So my concerns here are: a. The upload was successful, but when we checked the server for the said files, it was not there (full search of server). Why was that? Am I looking in wrongly? what could be the reason the file was not there? Will highly appreciate your comments on this or provide me tips or correct me as to how should I interpret the results. Thank you, Sam

Posted by Sameer Anwar 11 months ago

5

Limitations in Rapid7's Help Site

Hello, I feel sorry for the Rapid7 employees who have to answer all of the questions about "why isn't this feature available" on this, the site that replaced the community site. When we did a PoC of three different Vulnerability Management Solutions, one of the selling points, one of the things I showed off to management and executives, was how amazing the community site was. It was the reason we chose Rapid7 over Tenable. Tenable had better reporting, but Rapid7 had a community that was active, helpful, included Rapid7 employees and users from novice to expert. It was, in fact, the most active community site I had ever seen. Much of that was due to the interface. You had a large tableau which gave you a bird's eye view of what was popular and important in that moment. Blog posts, community questions, knowledge base updates, SQL queries made available, everything from one screen. It was at your fingertips. The new site, as I have said, expects you to know what you want to find and go to that. It is not designed around a community. This is a Feed.Nothing more. I cannot get an overview of issues others are having without lots of scrolling and clicking. I cannot get Blog updates or even know they are available unless I go to a completely different website. I get the feeling Rapid7 Wants to cultivate and validate data before adding it to the general KB area. That's noble, but it doesn't seem to be happening. I submitted an update to a SQL query and it was never updated. It was a fix that the author of the script said it needed, so it isn't something I did out of the blue. I do not understand why the old community site needed to be replaced at all. If someone, anyone could explain it, I'd be grateful. It was a bustling community of people sharing information in near real-time. This new site may have fifteen people ask the same question because they missed it thirty-five entries down on the topic Feed. I get that this site is a work in progress, but nothing has changed since it was introduced. No new features that I've noticed. Why was this site forced on everyone if it was not complete? Why was the old site, which was fantastic, shutdown? All my old links are broken now. I have about three or four dozen links to various tidbits on the old site that all just redirect to the KB homepage. Where is the collaboration? That's what I'm missing. And it's why I hardly ever use this site any more. It isn't worth it. Instead, I open a ticket and have Rapidy7 look it up for me. My time is valuable and I cannot spend it searching and searching, posting and waiting, worrying that if I miss the email that my question was answered I'll never find my question again. To quote my parents, "I'm not angry; I'm just disappointed." If it were a bake-off between Rapid7 and Tenable today, I'm not sure we'd make the same choice.

Posted by Jasey DePriest 11 months ago

10

Writing a potential DDOS check for SQL Server Resolution Service?

I'm looking to migrate a vulnerability check from our internal vulnerability scan platform to Nexpose. I am looking to write a check that detects when an SQL Server Resolution Service running on UDP 1434 is present. Background: The SQL Server Resolution Service running on UDP 1434 responds to a single byte request "0x02" with a ~440x amplification factor. Detailed reference: [http://kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html](http://kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html) Issue: Nexpose already knows how to interact with the service but does not have a vulnerability check that can be leveraged to detect and confirm that the service is configured to listen and respond via UDP. This check would serve the same intent as other checks like "netbios-nbstat-amplification" - NetBIOS NBSTAT Traffic Amplification which only have an amplification yield of ~3x. Current State: NMap, Metasploit, etc. have mssql ping checks that can scan for these services. These are the checks I'm currently using to automate remediation workflows. ex: [https://www.rapid7.com/db/modules/auxiliary/scanner/mssql/mssql_ping](scanner/mssql/mssql_ping) ``` The check calls the rex library method mssql_ping(2). from: ./metasploit-framework/embedded/framework/lib/msf/core/exploit/mssql.rb def mssql_ping(timeout=5) data = { } ping_sock = Rex::Socket::Udp.create( 'PeerHost' => rhost, 'PeerPort' => 1434, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) ping_sock.put("\x02") resp, _saddr, _sport = ping_sock.recvfrom(65535, timeout) ping_sock.close return data if not resp return data if resp.length == 0 return mssql_ping_parse(resp) end # # Parse a 'ping' response and format as a hash # def mssql_ping_parse(data) res = [] var = nil idx = data.index('ServerName') return res if not idx sdata = data[idx, (data.length - 1)] instances = sdata.split(';;') instances.each do |instance| rinst = {} instance.split(';').each do |d| if (not var) var = d else if (var.length > 0) rinst[var] = d var = nil end end end res << rinst end return res end ``` Request: When I create the check should I attempt a direct UDP connection sending 0x02 and triggering based on the response or would it be recommended to use a more efficient way to re-use the information that was already gathered during fingerprinting that can be made granular enough to confirm that the UDP service is listening and responding with valid data? Are there any existing checks that someone can recommend that I use as a viable example? I'm currently looking through other amplification checks to see if there is already a simple template to follow.

Posted by BrianWGray 11 months ago