Knowledge Base

Ask A Question

Questions

0

Metasploit's Exploit results

Hello, I'm new to Metasploit - I tried the Metasploit Pro (free trial) and the msfconsole in kali. Just wanted to ask or get clarification on certain exploitation results that metasploit has provided on my test target. For the exploit I just uploaded the vulnerabilities identified by Nessus in Metasploit. After that, I runned the default exploit in Metasploit. Here are a few details of the results: 1*. [+] [2017.12.27-10:28:35] Workspace:MHC 2017 VAPT - JMF Progress:710/2310 (30%) [706/2305] xxx.xx.xx.x:80 - TP-Link SC2020n Authenticated Telnet Injection [*] [2017.12.27-10:28:36] [0706] xxxxx:80 - Exploiting [*] [2017.12.27-10:28:36] [0706] xxxxxx:80 - Trying to login with admin : admin [+] [2017.12.27-10:28:36] [0706] xxxxx:80 - Successful login admin : admin [*] [2017.12.27-10:28:36] [0706] xxxxxx:80 - Telnet Port: 62116 [*] [2017.12.27-10:28:36] [0706] xxxxxx:80 - Trying to establish telnet connection... [-] [2017.12.27-10:28:36] [0706] xxxxxx:80 - Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (xxxxx:62116). TP-Link SC2020n Authenticated Telnet Injection https://www.rapid7.com/db/modules/exploit/linux/http/tp_link_sc2020n_authenticated_telnet_injection *So for this exploit my concerns are: a. Port 80 is open per nmap scan, but Nessus did not flag it as vulnerable, so why was it exploited by Metasploit? b. I tried to login remotely to the target IP - but was not able to gain access using the credentials used by Metasploit to gain access (admin:admin) - I put it as username: admin and pw admin. Why was I not able to login? c. What could I have done to successfully exploit the target? 2**[+] [2017.12.27-10:10:07] Workspace:MHC 2017 VAPT - JMF Progress:38/2310 (1%) [34/2305] xxxxxxx:21 - Open-FTPD 1.2 Arbitrary File Upload [*] [2017.12.27-10:10:08] [0034] Started reverse TCP handler on 0.0.0.0:1040 [*] [2017.12.27-10:10:09] [0034] xxxx:21 - Server started. [*] [2017.12.27-10:10:10] [0034] xxxxx:21 - Trying to upload ndJDXciFuXF.exe [*] [2017.12.27-10:10:10] [0034] xxxxxx:21 - Connecting to FTP server xxxxxx:21... [*] [2017.12.27-10:10:10] [0034] xxxxxxx:21 - Connected to target FTP server. [*] [2017.12.27-10:10:10] [0034] xxxxxx:21 - Set binary mode [*] [2017.12.27-10:10:10] [0034] xxxxxxxxx:21 - Set active mode "10,111,28,37,4,17" [+] [2017.12.27-10:10:10] [0034] xxxxxxx:21 - Upload successful [*] [2017.12.27-10:10:12] [0034] xxxxxxxxx:21 - Trying to upload AQaAFAtyoj.mof [*] [2017.12.27-10:10:12] [0034] xxxxxx:21 - Connecting to FTP server xxxxxxx:21... [*] [2017.12.27-10:10:12] [0034] xxxxxxxxxx:21 - Connected to target FTP server. [*] [2017.12.27-10:10:12] [0034] xxxxxxxxxx:21 - Set binary mode [*] [2017.12.27-10:10:12] [0034] xxxxxxxx:21 - Set active mode "10,111,28,37,4,17" [+] [2017.12.27-10:10:12] [0034] xxxxxxxx:21 - Upload successful Open-FTPD 1.2 Arbitrary File Upload https://www.rapid7.com/db/modules/exploit/windows/ftp/open_ftpd_wbem **same as the first one, this was not flagged by Nessus. So my concerns here are: a. The upload was successful, but when we checked the server for the said files, it was not there (full search of server). Why was that? Am I looking in wrongly? what could be the reason the file was not there? Will highly appreciate your comments on this or provide me tips or correct me as to how should I interpret the results. Thank you, Sam

Posted by Sameer Anwar about a year ago

5

Limitations in Rapid7's Help Site

Hello, I feel sorry for the Rapid7 employees who have to answer all of the questions about "why isn't this feature available" on this, the site that replaced the community site. When we did a PoC of three different Vulnerability Management Solutions, one of the selling points, one of the things I showed off to management and executives, was how amazing the community site was. It was the reason we chose Rapid7 over Tenable. Tenable had better reporting, but Rapid7 had a community that was active, helpful, included Rapid7 employees and users from novice to expert. It was, in fact, the most active community site I had ever seen. Much of that was due to the interface. You had a large tableau which gave you a bird's eye view of what was popular and important in that moment. Blog posts, community questions, knowledge base updates, SQL queries made available, everything from one screen. It was at your fingertips. The new site, as I have said, expects you to know what you want to find and go to that. It is not designed around a community. This is a Feed.Nothing more. I cannot get an overview of issues others are having without lots of scrolling and clicking. I cannot get Blog updates or even know they are available unless I go to a completely different website. I get the feeling Rapid7 Wants to cultivate and validate data before adding it to the general KB area. That's noble, but it doesn't seem to be happening. I submitted an update to a SQL query and it was never updated. It was a fix that the author of the script said it needed, so it isn't something I did out of the blue. I do not understand why the old community site needed to be replaced at all. If someone, anyone could explain it, I'd be grateful. It was a bustling community of people sharing information in near real-time. This new site may have fifteen people ask the same question because they missed it thirty-five entries down on the topic Feed. I get that this site is a work in progress, but nothing has changed since it was introduced. No new features that I've noticed. Why was this site forced on everyone if it was not complete? Why was the old site, which was fantastic, shutdown? All my old links are broken now. I have about three or four dozen links to various tidbits on the old site that all just redirect to the KB homepage. Where is the collaboration? That's what I'm missing. And it's why I hardly ever use this site any more. It isn't worth it. Instead, I open a ticket and have Rapidy7 look it up for me. My time is valuable and I cannot spend it searching and searching, posting and waiting, worrying that if I miss the email that my question was answered I'll never find my question again. To quote my parents, "I'm not angry; I'm just disappointed." If it were a bake-off between Rapid7 and Tenable today, I'm not sure we'd make the same choice.

Posted by Jasey DePriest about a year ago

10

Writing a potential DDOS check for SQL Server Resolution Service?

I'm looking to migrate a vulnerability check from our internal vulnerability scan platform to Nexpose. I am looking to write a check that detects when an SQL Server Resolution Service running on UDP 1434 is present. Background: The SQL Server Resolution Service running on UDP 1434 responds to a single byte request "0x02" with a ~440x amplification factor. Detailed reference: [http://kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html](http://kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html) Issue: Nexpose already knows how to interact with the service but does not have a vulnerability check that can be leveraged to detect and confirm that the service is configured to listen and respond via UDP. This check would serve the same intent as other checks like "netbios-nbstat-amplification" - NetBIOS NBSTAT Traffic Amplification which only have an amplification yield of ~3x. Current State: NMap, Metasploit, etc. have mssql ping checks that can scan for these services. These are the checks I'm currently using to automate remediation workflows. ex: [https://www.rapid7.com/db/modules/auxiliary/scanner/mssql/mssql_ping](scanner/mssql/mssql_ping) ``` The check calls the rex library method mssql_ping(2). from: ./metasploit-framework/embedded/framework/lib/msf/core/exploit/mssql.rb def mssql_ping(timeout=5) data = { } ping_sock = Rex::Socket::Udp.create( 'PeerHost' => rhost, 'PeerPort' => 1434, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) ping_sock.put("\x02") resp, _saddr, _sport = ping_sock.recvfrom(65535, timeout) ping_sock.close return data if not resp return data if resp.length == 0 return mssql_ping_parse(resp) end # # Parse a 'ping' response and format as a hash # def mssql_ping_parse(data) res = [] var = nil idx = data.index('ServerName') return res if not idx sdata = data[idx, (data.length - 1)] instances = sdata.split(';;') instances.each do |instance| rinst = {} instance.split(';').each do |d| if (not var) var = d else if (var.length > 0) rinst[var] = d var = nil end end end res << rinst end return res end ``` Request: When I create the check should I attempt a direct UDP connection sending 0x02 and triggering based on the response or would it be recommended to use a more efficient way to re-use the information that was already gathered during fingerprinting that can be made granular enough to confirm that the UDP service is listening and responding with valid data? Are there any existing checks that someone can recommend that I use as a viable example? I'm currently looking through other amplification checks to see if there is already a simple template to follow.

Posted by BrianWGray about a year ago

2

sql query question

Im trying to make a report using SQL queries and want to basically combine the below two queries. The top one gives me - host, IP, OS, number of Crit, major and minor vulnerabilities. I want to add in some Tags to the list.. which the below query gives me but unable to figure out how to combine them. Any info or help would be great. Thanks. SELECT da.asset_id AS "Asset ID", da.ip_address AS "IP Address", da.host_name AS "Host Name", dos.description AS "Operating System",fa.critical_vulnerabilities AS "Critical Vulnerabilities", fa.severe_vulnerabilities AS "Severe Vulnerabilities", fa.moderate_vulnerabilities AS "Moderate Vulnerabilities", fa.vulnerabilities AS "Total Vulnerabilities", to_char(round(fa.riskscore::numeric,0),'999G999G999') AS "Risk Score" FROM dim_asset da JOIN fact_asset fa USING (asset_id) JOIN dim_operating_system dos USING (operating_system_id) ORDER BY da.host_name ---- WITH custom_tags AS ( SELECT asset_id, CSV(tag_name ORDER BY tag_name) AS custom_tags FROM dim_tag JOIN dim_tag_asset USING (tag_id) WHERE tag_type = 'CUSTOM' GROUP BY asset_id ), location_tags AS ( SELECT asset_id, CSV(tag_name ORDER BY tag_name) AS location_tags FROM dim_tag JOIN dim_tag_asset USING (tag_id) WHERE tag_type = 'LOCATION' GROUP BY asset_id ), owner_tags AS ( SELECT asset_id, CSV(tag_name ORDER BY tag_name) AS owner_tags FROM dim_tag JOIN dim_tag_asset USING (tag_id) WHERE tag_type = 'OWNER' GROUP BY asset_id ) SELECT ip_address, host_name, sites, dos.description AS operating_system, ct.custom_tags, lt.location_tags, ot.owner_tags FROM dim_asset JOIN dim_operating_system dos USING (operating_system_id) LEFT OUTER JOIN custom_tags ct USING (asset_id) LEFT OUTER JOIN location_tags lt USING (asset_id) LEFT OUTER JOIN owner_tags ot USING (asset_id)

Posted by Christian StPierre about a year ago

8

Agent communication issue

Started deployment of the agents, but only very few started reporting...posting log for ref: 2017-12-11 08:57:00,202 [INFO] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Probe response received: timed out 2017-12-11 08:57:00,202 [WARNING] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Have no previous good connections, will not reconnect 2017-12-11 08:57:00,452 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:04,646 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:57:04,646 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:57:05,462 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:10,471 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:15,481 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:15,670 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:57:15,670 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:57:20,490 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:25,497 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:26,625 [INFO] agent.agent_beacon: Agent Info -- ID: b12899a8d0a85f89bf3f52265c91f8e1 Version: 1.4.72 (1509978973) 2017-12-11 08:57:26,703 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:57:26,703 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:57:27,705 [WARNING] agent.agent_socket.HAS.7328496: BeaconThread no servers available yet 2017-12-11 08:57:29,741 [WARNING] agent.agent_socket.HAS.7328496: HASocket - No servers available 2017-12-11 08:57:29,741 [ERROR] agent.agent_beacon: Failed to send beacon: No response from server 2017-12-11 08:57:29,741 [WARNING] agent.agent_beacon: Beacon did not run successfully! 2017-12-11 08:57:30,210 [INFO] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Creating new connection for probe query 2017-12-11 08:57:30,507 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:35,512 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:37,733 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:57:37,733 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:57:40,219 [WARNING] agent.agent_socket.AGS.7355280.endpoint.ingress.rapid7.com:443: SocketTracker-endpoint.ingress.rapid7.com:443 attempt 1 - Failed: timed out 2017-12-11 08:57:40,219 [INFO] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Probe response received: timed out 2017-12-11 08:57:40,219 [WARNING] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Non-responsive - jailing for 48s 2017-12-11 08:57:40,516 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:45,521 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:48,835 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:57:48,835 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:57:50,523 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:55,526 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:57:59,751 [INFO] agent.agent_beacon: Agent Info -- ID: b12899a8d0a85f89bf3f52265c91f8e1 Version: 1.4.72 (1509978973) 2017-12-11 08:57:59,892 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:57:59,892 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:58:00,533 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:58:00,893 [WARNING] agent.agent_socket.HAS.7328496: BeaconThread no servers available yet 2017-12-11 08:58:02,941 [WARNING] agent.agent_socket.HAS.7328496: HASocket - No servers available 2017-12-11 08:58:02,941 [ERROR] agent.agent_beacon: Failed to send beacon: No response from server 2017-12-11 08:58:02,941 [WARNING] agent.agent_beacon: Beacon did not run successfully! 2017-12-11 08:58:05,537 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:58:10,545 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:58:10,936 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:58:10,936 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:58:15,553 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:58:20,560 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:58:21,982 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:58:21,982 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:58:25,569 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:58:28,309 [WARNING] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Have no previous good connections, will not reconnect 2017-12-11 08:58:28,309 [INFO] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Creating new connection for probe query 2017-12-11 08:58:30,577 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:58:32,956 [INFO] agent.agent_beacon: Agent Info -- ID: b12899a8d0a85f89bf3f52265c91f8e1 Version: 1.4.72 (1509978973) 2017-12-11 08:58:33,003 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:58:33,003 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:58:34,006 [WARNING] agent.agent_socket.HAS.7328496: BeaconThread no servers available yet 2017-12-11 08:58:35,587 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:58:36,041 [WARNING] agent.agent_socket.HAS.7328496: HASocket - No servers available 2017-12-11 08:58:36,041 [ERROR] agent.agent_beacon: Failed to send beacon: No response from server 2017-12-11 08:58:36,041 [WARNING] agent.agent_beacon: Beacon did not run successfully! 2017-12-11 08:58:38,309 [WARNING] agent.agent_socket.AGS.7355280.endpoint.ingress.rapid7.com:443: SocketTracker-endpoint.ingress.rapid7.com:443 attempt 1 - Failed: timed out 2017-12-11 08:58:38,309 [INFO] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Probe response received: timed out 2017-12-11 08:58:38,309 [WARNING] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Have no previous good connections, will not reconnect 2017-12-11 08:58:40,594 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:58:44,021 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:58:44,021 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:58:45,603 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:58:50,611 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:58:55,087 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:58:55,087 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:58:55,619 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:59:00,628 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:59:05,635 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:59:06,041 [INFO] agent.agent_beacon: Agent Info -- ID: b12899a8d0a85f89bf3f52265c91f8e1 Version: 1.4.72 (1509978973) 2017-12-11 08:59:06,152 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:59:06,152 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:59:07,155 [WARNING] agent.agent_socket.HAS.7328496: BeaconThread no servers available yet 2017-12-11 08:59:09,202 [WARNING] agent.agent_socket.HAS.7328496: HASocket - No servers available 2017-12-11 08:59:09,202 [ERROR] agent.agent_beacon: Failed to send beacon: No response from server 2017-12-11 08:59:09,202 [WARNING] agent.agent_beacon: Beacon did not run successfully! 2017-12-11 08:59:10,642 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:59:15,653 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:59:17,219 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:59:17,219 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:59:17,313 [INFO] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Creating new connection for probe query 2017-12-11 08:59:20,661 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:59:25,665 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:59:27,323 [WARNING] agent.agent_socket.AGS.7355280.endpoint.ingress.rapid7.com:443: SocketTracker-endpoint.ingress.rapid7.com:443 attempt 1 - Failed: timed out 2017-12-11 08:59:27,323 [INFO] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Probe response received: timed out 2017-12-11 08:59:27,323 [WARNING] agent.agent_socket.SMT.58038672.endpoint.ingress.rapid7.com:443: Have no previous good connections, will not reconnect 2017-12-11 08:59:28,308 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:59:28,308 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:59:30,668 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:59:35,671 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:59:39,204 [INFO] agent.agent_beacon: Agent Info -- ID: b12899a8d0a85f89bf3f52265c91f8e1 Version: 1.4.72 (1509978973) 2017-12-11 08:59:39,392 [WARNING] agent.agent_socket.HAS.7328496: JobMessageSender no servers available yet 2017-12-11 08:59:39,392 [INFO] agent.message_bus.sndr.5348: Sent 0B of 0B from cache 2017-12-11 08:59:40,394 [WARNING] agent.agent_socket.HAS.7328496: BeaconThread no servers available yet 2017-12-11 08:59:40,675 [INFO] agent.job_manager: Verifying the status of the following running jobs: [] 2017-12-11 08:59:42,443 [WARNING] agent.agent_socket.HAS.7328496: HASocket - No servers available 2017-12-11 08:59:42,443 [ERROR] agent.agent_beacon: Failed to send beacon: No response from server 2017-12-11 08:59:42,443 [WARNING] agent.agent_beacon: Beacon did not run successfully! I guess there is some connection issue, any help appreciated

Posted by Abhijeet nawale about a year ago