Changeset 5424
- Timestamp:
- 03/01/08 22:46:13 (7 months ago)
- Files:
-
- framework3/trunk/data/sql/mysql.sql (modified) (5 diffs)
- framework3/trunk/data/sql/postgres.sql (modified) (5 diffs)
- framework3/trunk/data/sql/sqlite.sql (modified) (5 diffs)
- framework3/trunk/lib/msf/core/auxiliary/report.rb (modified) (2 diffs)
- framework3/trunk/lib/msf/core/db.rb (modified) (6 diffs)
- framework3/trunk/lib/msf/core/db_objects.rb (modified) (1 diff)
- framework3/trunk/lib/msf/ui/console/command_dispatcher/db.rb (modified) (5 diffs)
- framework3/trunk/lib/rex/proto/smb/client.rb (modified) (2 diffs)
- framework3/trunk/modules/auxiliary/server/capture (added)
- framework3/trunk/modules/auxiliary/server/capture/ftp.rb (added)
- framework3/trunk/modules/auxiliary/server/capture/imap.rb (added)
- framework3/trunk/modules/auxiliary/server/capture/pop3.rb (added)
- framework3/trunk/modules/auxiliary/server/capture/smb.rb (added)
- framework3/trunk/modules/auxiliary/server/capture/smtp.rb (added)
- framework3/trunk/modules/auxiliary/server/smb_sniffer.rb (deleted)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
framework3/trunk/data/sql/mysql.sql
r4177 r5424 2 2 create table hosts ( 3 3 id SERIAL PRIMARY KEY, 4 created TIMESTAMP, 4 5 address VARCHAR(16) UNIQUE, 5 6 comm VARCHAR(255), … … 13 14 id SERIAL PRIMARY KEY, 14 15 host_id INTEGER, 16 created TIMESTAMP, 15 17 port INTEGER NOT NULL, 16 18 proto VARCHAR(16) NOT NULL, … … 24 26 id SERIAL PRIMARY KEY, 25 27 service_id INTEGER, 28 created TIMESTAMP, 26 29 name VARCHAR(255), 27 30 data TEXT … … 32 35 id SERIAL PRIMARY KEY, 33 36 ref_id INTEGER, 37 created TIMESTAMP, 34 38 name VARCHAR(512) 35 39 ); … … 40 44 vuln_id INTEGER 41 45 ); 46 47 48 create table notes ( 49 id SERIAL PRIMARY KEY, 50 host_id INTEGER, 51 created TIMESTAMP, 52 ntype VARCHAR(512), 53 data TEXT 54 ); framework3/trunk/data/sql/postgres.sql
r3904 r5424 3 3 create table hosts ( 4 4 id SERIAL PRIMARY KEY, 5 created TIMESTAMP, 5 6 address VARCHAR(16) UNIQUE, 6 7 comm VARCHAR(255), … … 15 16 id SERIAL PRIMARY KEY, 16 17 host_id INTEGER, 18 created TIMESTAMP, 17 19 port INTEGER NOT NULL, 18 20 proto VARCHAR(16) NOT NULL, … … 27 29 id SERIAL PRIMARY KEY, 28 30 service_id INTEGER, 31 created TIMESTAMP, 29 32 name VARCHAR(255), 30 33 data TEXT … … 36 39 id SERIAL PRIMARY KEY, 37 40 ref_id INTEGER, 41 created TIMESTAMP, 38 42 name VARCHAR(512) 39 43 ); … … 45 49 vuln_id INTEGER 46 50 ); 51 52 drop table notes 53 54 create table notes ( 55 id SERIAL PRIMARY KEY, 56 host_id INTEGER, 57 created TIMESTAMP, 58 ntype VARCHAR(512), 59 data TEXT 60 ); framework3/trunk/data/sql/sqlite.sql
r5276 r5424 2 2 create table hosts ( 3 3 'id' INTEGER PRIMARY KEY NOT NULL, 4 'created' TIMESTAMP, 4 5 'address' VARCHAR(16) UNIQUE, 5 6 'comm' VARCHAR(255), … … 13 14 'id' INTEGER PRIMARY KEY NOT NULL, 14 15 'host_id' INTEGER, 16 'created' TIMESTAMP, 15 17 'port' INTEGER NOT NULL, 16 18 'proto' VARCHAR(16) NOT NULL, … … 24 26 'id' INTEGER PRIMARY KEY NOT NULL, 25 27 'service_id' INTEGER, 28 'created' TIMESTAMP, 26 29 'name' VARCHAR(1024), 27 30 'data' TEXT … … 32 35 'id' INTEGER PRIMARY KEY NOT NULL, 33 36 'ref_id' INTEGER, 37 'created' TIMESTAMP, 34 38 'name' VARCHAR(512) 35 39 ); … … 40 44 'vuln_id' INTEGER 41 45 ); 46 47 drop table notes; 48 create table notes ( 49 'id' INTEGER PRIMARY KEY NOT NULL, 50 'created' TIMESTAMP, 51 'host_id' INTEGER, 52 'ntype' VARCHAR(512), 53 'data' TEXT 54 ); framework3/trunk/lib/msf/core/auxiliary/report.rb
r3820 r5424 12 12 # Report host and service information 13 13 # 14 15 # Shortcut method for detecting when the DB is active 16 def db 17 framework.db.active 18 end 19 14 20 def report_host(opts) 15 21 return if not db … … 40 46 end 41 47 end 48 49 def report_note(opts={}) 50 return if not db 51 addr = opts[:host] || return 52 ntype = opts[:type] || return 53 data = opts[:data] || return 54 55 host = framework.db.report_host_state(self, addr, Msf::HostState::Alive) 56 note = framework.db.get_note(self, host, ntype, data) 57 end 58 59 def report_auth_info(opts={}) 60 addr = opts[:host] || return 61 data = opts[:proto] || return 42 62 43 # Shortcut method for detecting when the DB is active 44 def db 45 framework.db.active 63 opts[:type] = "auth_#{opts[:proto]}" 64 opts[:data] = 65 "AUTH #{ opts[:targ_host] || 'unknown' }:#{ opts[:targ_port] || 'unknown' } " + 66 "#{opts[:user] || "<NULL>"} #{opts[:pass] || "<NULL>" } #{opts[:extra]}" 67 report_note(opts) 46 68 end 69 47 70 48 71 end framework3/trunk/lib/msf/core/db.rb
r4472 r5424 194 194 Vuln.find(:all) 195 195 end 196 196 197 198 # 199 # This method iterates the notes table calling the supplied block with the 200 # note instance of each entry. 201 # 202 def each_note(&block) 203 notes.each do |note| 204 block.call(note) 205 end 206 end 207 208 # 209 # This methods returns a list of all notes in the database 210 # 211 def notes 212 Note.find(:all) 213 end 214 197 215 # 198 216 # Find or create a host matching this address/comm … … 201 219 host = Host.find(:first, :conditions => [ "address = ? and comm = ?", address, comm]) 202 220 if (not host) 203 host = Host.create(:address => address, :comm => comm, :state => HostState::Unknown )221 host = Host.create(:address => address, :comm => comm, :state => HostState::Unknown, :created => Time.now) 204 222 host.save 205 223 framework.events.on_db_host(context, host) … … 219 237 :proto => proto, 220 238 :port => port, 221 :state => state 239 :state => state, 240 :created => Time.now 222 241 ) 223 242 rec.save … … 236 255 :service_id => service.id, 237 256 :name => name, 238 :data => data 257 :data => data, 258 :created => Time.now 239 259 ) 240 260 vuln.save … … 252 272 if (not ref) 253 273 ref = Ref.create( 254 :name => name 274 :name => name, 275 :created => Time.now 255 276 ) 256 277 ref.save … … 261 282 end 262 283 284 # 285 # Find or create a note matching this type/data 286 # 287 def get_note(context, host, ntype, data) 288 rec = Note.find(:first, :conditions => [ "host_id = ? and ntype = ? and data = ?", host.id, ntype, data]) 289 if (not rec) 290 rec = Note.create( 291 :host_id => host.id, 292 :ntype => ntype, 293 :data => data, 294 :created => Time.now 295 ) 296 rec.save 297 framework.events.on_db_note(context, rec) 298 end 299 return rec 300 end 301 263 302 # 264 303 # Find a reference matching this name framework3/trunk/lib/msf/core/db_objects.rb
r3902 r5424 85 85 end 86 86 87 88 # Service object definition 89 class Note < ActiveRecord::Base 90 include DBSave 91 belongs_to :host 92 93 def host 94 Host.find(:first, :conditions => [ "id = ?", host_id ]) 95 end 96 end 97 87 98 end 88 99 end framework3/trunk/lib/msf/ui/console/command_dispatcher/db.rb
r5247 r5424 33 33 "db_services" => "List all services in the database", 34 34 "db_vulns" => "List all vulnerabilities in the database", 35 "db_notes" => "List all notes in the database", 35 36 "db_add_host" => "Add one or more hosts to the database", 36 37 "db_add_port" => "Add a port to host", 38 "db_add_note" => "Add a note to host", 37 39 "db_autopwn" => "Automatically exploit everything", 38 40 "db_import_nessus_nbe" => "Import a Nessus scan result file (NBE)", … … 44 46 def cmd_db_hosts(*args) 45 47 framework.db.each_host do |host| 46 print_status(" Host: #{host.address}")48 print_status("Time: #{host.created} Host: #{host.address}") 47 49 end 48 50 end … … 50 52 def cmd_db_services(*args) 51 53 framework.db.each_service do |service| 52 print_status(" Service: host=#{service.host.address} port=#{service.port} proto=#{service.proto} state=#{service.state} name=#{service.name}")54 print_status("Time: #{service.created}] Service: host=#{service.host.address} port=#{service.port} proto=#{service.proto} state=#{service.state} name=#{service.name}") 53 55 end 54 56 end … … 57 59 framework.db.each_vuln do |vuln| 58 60 reflist = vuln.refs.map { |r| r.name } 59 print_status(" Vuln: host=#{vuln.host.address} port=#{vuln.service.port} proto=#{vuln.service.proto} name=#{vuln.name} refs=#{reflist.join(',')}")61 print_status("Time: #{vuln.created} Vuln: host=#{vuln.host.address} port=#{vuln.service.port} proto=#{vuln.service.proto} name=#{vuln.name} refs=#{reflist.join(',')}") 60 62 end 61 63 end 62 64 65 def cmd_db_notes(*args) 66 framework.db.each_note do |note| 67 print_status("Time: #{note.created} Note: host=#{note.host.address} type=#{note.ntype} data=#{note.data}") 68 end 69 end 70 63 71 def cmd_db_add_host(*args) 64 72 print_status("Adding #{args.length.to_s} hosts...") 65 73 args.each do |address| 66 framework.db.get_host(nil, address) 74 host = framework.db.get_host(nil, address) 75 print_status("Time: #{host.created} Host: host=#{service.host.address}") 67 76 end 68 77 end … … 80 89 return if not service 81 90 82 print_status("Service: host=#{service.host.address} port=#{service.port} proto=#{service.proto} state=#{service.state}") 83 end 84 91 print_status("Time: #{service.created} Service: host=#{service.host.address} port=#{service.port} proto=#{service.proto} state=#{service.state}") 92 end 93 94 def cmd_db_add_note(*args) 95 if (not args or args.length < 3) 96 print_status("Usage: db_add_note [host] [type] [note]") 97 return 98 end 99 100 naddr = args.shift 101 ntype = args.shift 102 ndata = args.join(" ") 103 104 host = framework.db.get_host(nil, naddr) 105 return if not host 106 107 note = framework.db.get_note(nil, host, ntype, ndata) 108 return if not note 109 110 print_status("Time: #{note.created} Note: host=#{note.host.address} type=#{note.ntype} data=#{note.data}") 111 end 112 85 113 # 86 114 # A shotgun approach to network-wide exploitation framework3/trunk/lib/rex/proto/smb/client.rb
r5015 r5424 829 829 self.smb_send(pkt.to_s) 830 830 self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX, false) 831 end 832 833 834 # Authenticate using extended security negotiation (NTLMv2), but stop half-way, using the temporary ID 835 def session_setup_ntlmv2_temp(domain = '', name = nil) 836 837 if (name == nil) 838 name = Rex::Text.rand_text_alphanumeric(16) 839 end 840 841 blob = UTILS.make_ntlmv2_secblob_init(domain, name) 842 843 native_data = '' 844 native_data << self.native_os + "\x00" 845 native_data << self.native_lm + "\x00" 846 847 pkt = CONST::SMB_SETUP_NTLMV2_PKT.make_struct 848 self.smb_defaults(pkt['Payload']['SMB']) 849 850 pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX 851 pkt['Payload']['SMB'].v['Flags1'] = 0x18 852 pkt['Payload']['SMB'].v['Flags2'] = 0x2801 853 pkt['Payload']['SMB'].v['WordCount'] = 12 854 pkt['Payload'].v['AndX'] = 255 855 pkt['Payload'].v['MaxBuff'] = 0xffdf 856 pkt['Payload'].v['MaxMPX'] = 2 857 pkt['Payload'].v['VCNum'] = 1 858 pkt['Payload'].v['SecurityBlobLen'] = blob.length 859 pkt['Payload'].v['Capabilities'] = 0x8000d05c 860 pkt['Payload'].v['SessionKey'] = self.session_id 861 pkt['Payload'].v['Payload'] = blob + native_data 862 863 self.smb_send(pkt.to_s) 864 ack = self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX, true) 865 866 # The server doesn't know about NTLM_NEGOTIATE, try ntlmv1 867 if (ack['Payload']['SMB'].v['ErrorClass'] == 0x00020002) 868 return session_setup_ntlmv1(user, pass, domain) 869 end 870 871 # Make sure the error code tells us to continue processing 872 if (ack['Payload']['SMB'].v['ErrorClass'] != 0xc0000016) 873 failure = XCEPT::ErrorCode.new 874 failure.word_count = ack['Payload']['SMB'].v['WordCount'] 875 failure.command = ack['Payload']['SMB'].v['Command'] 876 failure.error_code = ack['Payload']['SMB'].v['ErrorClass'] 877 raise failure 878 end 879 880 # Extract the SecurityBlob from the response 881 data = ack['Payload'].v['Payload'] 882 blob = data.slice!(0, ack['Payload'].v['SecurityBlobLen']) 883 884 # Extract the native lanman and os strings 885 info = data.split(/\x00/) 886 self.peer_native_os = info[0] 887 self.peer_native_lm = info[1] 888 889 # Save the temporary UserID for use in the next request 890 self.auth_user_id = ack['Payload']['SMB'].v['UserID'] 891 892 # Extract the NTLM challenge key the lazy way 893 cidx = blob.index("NTLMSSP\x00\x02\x00\x00\x00") 894 895 if (cidx == -1) 896 raise XCEPT::NTLM2MissingChallenge 897 end 898 899 # Store the challenge key 900 self.challenge_key = blob[cidx + 24, 8] 901 902 return ack 831 903 end 832 904 … … 1592 1664 1593 1665 # private methods 1594 protected1595 1666 attr_writer :dialect, :session_id, :challenge_key, :peer_native_lm, :peer_native_os 1596 1667 attr_writer :default_domain, :default_name, :auth_user, :auth_user_id
