Land #8372, rservice documentation

rapid7 · May 15, 2017 · 8be51bb · 8be51bb
2 parents f39e378 + fb236df
commit 8be51bb
Show file tree

Hide file tree

Showing 3 changed files with 187 additions and 0 deletions.
diff --git a/documentation/modules/auxiliary/scanner/rservices/rexec_login.md b/documentation/modules/auxiliary/scanner/rservices/rexec_login.md
@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s.
+These services are all but unused in modern computing, as they have been replace by telnet and ssh.
+
+The following was done on Kali linux:
+
+  1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`.
+  2. Start the service: `service openbsd-inetd start`
+
+## Verification Steps
+
+  1. Install and configure rexec
+  2. Start msfconsole
+  3. Do: `use auxiliary/scanner/rservices/rexec_login`
+  4. Do: `set rhosts`
+  5. Set any other credentials that will need to be set
+  6. Do: `run`
+
+## Scenarios
+
+  A run against the configuration from these docs
+
+  ```
+    msf > use auxiliary/scanner/rservices/rexec_login 
+    msf auxiliary(rexec_login) > set username test
+    username => test
+    msf auxiliary(rexec_login) > set password 'test'
+    password => test
+    msf auxiliary(rexec_login) > run
+    
+    [*] 127.0.0.1:512         - 127.0.0.1:512 - Starting rexec sweep
+    [+] 127.0.0.1:512         - 127.0.0.1:512, rexec 'test' : 'test'
+    [!] 127.0.0.1:512         - *** auxiliary/scanner/rservices/rexec_login is still calling the deprecated report_auth_info method! This needs to be updated!
+    [!] 127.0.0.1:512         - *** For detailed information about LoginScanners and the Credentials objects see:
+    [!] 127.0.0.1:512         -      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
+    [!] 127.0.0.1:512         -      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
+    [!] 127.0.0.1:512         - *** For examples of modules converted to just report credentials without report_auth_info, see:
+    [!] 127.0.0.1:512         -      https://github.com/rapid7/metasploit-framework/pull/5376
+    [!] 127.0.0.1:512         -      https://github.com/rapid7/metasploit-framework/pull/5377
+    [*] Command shell session 2 opened (127.0.0.1:37489 -> 127.0.0.1:512) at 2017-04-27 20:56:54 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+## Confirming using NMAP
+
+Utilizing [rexec-brute](https://nmap.org/nsedoc/scripts/rexec-brute.html)
+
+  ```
+    nmap -p 512 --script rexec-brute 127.0.0.1
+    
+    Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 21:23 EDT
+    Nmap scan report for localhost (127.0.0.1)
+    Host is up (0.000037s latency).
+    PORT    STATE SERVICE
+    512/tcp open  exec
+    | rexec-brute: 
+    |   Accounts: 
+    |     test:test - Valid credentials
+    |_  Statistics: Performed 7085940 guesses in 629 seconds, average tps: 9231.6
+  ```
diff --git a/documentation/modules/auxiliary/scanner/rservices/rlogin_login.md b/documentation/modules/auxiliary/scanner/rservices/rlogin_login.md
@@ -0,0 +1,68 @@
+## Vulnerable Application
+
+The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s.
+These services are all but unused in modern computing, as they have been replace by telnet and ssh.
+
+The following was done on Kali linux:
+
+  1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`.
+  2. Start the service: `service openbsd-inetd start`
+
+## Verification Steps
+
+  1. Install and configure rexec
+  2. Start msfconsole
+  3. Do: `use auxiliary/scanner/rservices/rlogin_login`
+  4. Do: `set rhosts`
+  5. Set any other credentials that will need to be set
+  6. Do: `run`
+
+## Scenarios
+
+  A run against the configuration from these docs
+
+  ```
+    msf > use auxiliary/scanner/rservices/rlogin_login 
+    msf auxiliary(rlogin_login) > set rhosts 10.1.2.3
+    rhosts => 10.1.2.3
+    msf auxiliary(rlogin_login) > set password test
+    password => test
+    msf auxiliary(rlogin_login) > set username test
+    username => test
+    msf auxiliary(rlogin_login) > run
+    
+    [*] 10.1.2.3:513     - 10.1.2.3:513 - Starting rlogin sweep
+    [*] 10.1.2.3:513     - 10.1.2.3:513 - Attempting: 'test':"test" from 'root'
+    [*] 10.1.2.3:513     - 10.1.2.3:513 - Prompt: Password:
+    [*] 10.1.2.3:513     - 10.1.2.3:513 - Result:     The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.  Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
+    [+] 10.1.2.3:513     - 10.1.2.3:513, rlogin 'test' successful with password "test"
+    [!] 10.1.2.3:513     - *** auxiliary/scanner/rservices/rlogin_login is still calling the deprecated report_auth_info method! This needs to be updated!
+    [!] 10.1.2.3:513     - *** For detailed information about LoginScanners and the Credentials objects see:
+    [!] 10.1.2.3:513     -      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
+    [!] 10.1.2.3:513     -      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
+    [!] 10.1.2.3:513     - *** For examples of modules converted to just report credentials without report_auth_info, see:
+    [!] 10.1.2.3:513     -      https://github.com/rapid7/metasploit-framework/pull/5376
+    [!] 10.1.2.3:513     -      https://github.com/rapid7/metasploit-framework/pull/5377
+    [*] Command shell session 1 opened (10.1.2.3:1023 -> 10.1.2.3:513) at 2017-05-11 20:04:24 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+## Confirming using NMAP
+
+Utilizing [rlogin-brute](https://nmap.org/nsedoc/scripts/rlogin-brute.html)
+
+  ```
+    nmap -p 513 --script rlogin-brute 10.1.2.3
+    
+    Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-11 20:07 EDT
+    Nmap scan report for test (10.1.2.3)
+    Host is up (0.000039s latency).
+    PORT    STATE SERVICE
+    513/tcp open  login
+    | rlogin-brute: 
+    |   Accounts: No valid accounts found
+    |_  Statistics: Performed 6662201 guesses in 609 seconds, average tps: 10491.0
+    
+    Nmap done: 1 IP address (1 host up) scanned in 608.75 seconds
+  ```
diff --git a/documentation/modules/auxiliary/scanner/rservices/rsh_login.md b/documentation/modules/auxiliary/scanner/rservices/rsh_login.md
@@ -0,0 +1,57 @@
+## Vulnerable Application
+
+The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s.
+These services are all but unused in modern computing, as they have been replace by telnet and ssh.
+
+`rsh` relies on host names as a security mechanism.  Utilizing `+` can wildcard so any computer can connect.  In the following
+config, we'll utilize that wildcarded setting to simplify our exploitation.  **This is a glaring security issue!!!**
+However, there are exceptions to this in proprietary Unix systems which may include other mechanisms such as Kerberos
+([AIX](https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.cmds4/rsh.htm))
+
+If you encounter `Host address mismatch for `..., you may need to adjust your `/etc/hosts` file accordingly.
+
+The following was done on Kali linux:
+
+  1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`.
+  2. ```echo "+" > ~/.rhosts```
+  3. Start the service: `service openbsd-inetd start`
+
+## Verification Steps
+
+  1. Install and configure rexec
+  2. Start msfconsole
+  3. Do: `use auxiliary/scanner/rservices/rsh_login`
+  4. Do: `set rhosts`
+  5. Set any other credentials that will need to be set
+  6. Do: `run`
+
+## Scenarios
+
+  A run against the configuration from these docs
+
+  ```
+    msf > use auxiliary/scanner/rservices/rsh_login 
+    msf auxiliary(rsh_login) > set rhosts 10.1.2.3
+    rhosts => 10.1.2.3
+    msf auxiliary(rsh_login) > set username root
+    username => root
+    msf auxiliary(rsh_login) > run
+    
+    [*] 10.1.2.3:514     - 10.1.2.3:514 - Starting rsh sweep
+    [*] 10.1.2.3:514     - 10.1.2.3:514 - Attempting rsh with username 'root' from 'root'
+    [+] 10.1.2.3:514     - 10.1.2.3:514, rsh 'root' from 'root' with no password.
+    [!] 10.1.2.3:514     - *** auxiliary/scanner/rservices/rsh_login is still calling the deprecated report_auth_info method! This needs to be updated!
+    [!] 10.1.2.3:514     - *** For detailed information about LoginScanners and the Credentials objects see:
+    [!] 10.1.2.3:514     -      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
+    [!] 10.1.2.3:514     -      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
+    [!] 10.1.2.3:514     - *** For examples of modules converted to just report credentials without report_auth_info, see:
+    [!] 10.1.2.3:514     -      https://github.com/rapid7/metasploit-framework/pull/5376
+    [!] 10.1.2.3:514     -      https://github.com/rapid7/metasploit-framework/pull/5377
+    [*] Command shell session 1 opened (10.1.2.3:1023 -> 10.1.2.3:514) at 2017-05-11 19:56:46 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+## Confirming
+
+At the time of writing this, there was no `nmap` script equivalent.  Most modern systems have also replaced `rsh` with `ssh`.