From 7f34e985f76e013ac7cac72b356a6c8423055866 Mon Sep 17 00:00:00 2001 From: h00die Date: Thu, 11 May 2017 17:08:21 -0400 Subject: [PATCH 1/3] rexec docs --- .../scanner/rservices/rexec_login.md | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 documentation/modules/auxiliary/scanner/rservices/rexec_login.md diff --git a/documentation/modules/auxiliary/scanner/rservices/rexec_login.md b/documentation/modules/auxiliary/scanner/rservices/rexec_login.md new file mode 100644 index 000000000000..270312c2c42c --- /dev/null +++ b/documentation/modules/auxiliary/scanner/rservices/rexec_login.md @@ -0,0 +1,62 @@ +## Vulnerable Application + +The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s. +These services are all but unused in modern computing, as they have been replace by telnet and ssh. + +The following was done on Kali linux: + + 1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`. + 2. Start the service: `service openbsd-inetd start` + +## Verification Steps + + 1. Install and configure rexec + 2. Start msfconsole + 3. Do: `use auxiliary/scanner/rservices/rexec_login` + 4. Do: `set rhosts` + 5. Set any other credentials that will need to be set + 6. Do: `run` + +## Scenarios + + A run against the configuration from these docs + + ``` + msf > use auxiliary/scanner/rservices/rexec_login + msf auxiliary(rexec_login) > set username test + username => test + msf auxiliary(rexec_login) > set password 'test' + password => test + msf auxiliary(rexec_login) > run + + [*] 127.0.0.1:512 - 127.0.0.1:512 - Starting rexec sweep + [+] 127.0.0.1:512 - 127.0.0.1:512, rexec 'test' : 'test' + [!] 127.0.0.1:512 - *** auxiliary/scanner/rservices/rexec_login is still calling the deprecated report_auth_info method! This needs to be updated! + [!] 127.0.0.1:512 - *** For detailed information about LoginScanners and the Credentials objects see: + [!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners + [!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module + [!] 127.0.0.1:512 - *** For examples of modules converted to just report credentials without report_auth_info, see: + [!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/pull/5376 + [!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/pull/5377 + [*] Command shell session 2 opened (127.0.0.1:37489 -> 127.0.0.1:512) at 2017-04-27 20:56:54 -0400 + [*] Scanned 1 of 1 hosts (100% complete) + [*] Auxiliary module execution completed + ``` + +## Confirming using NMAP + +Utilizing [rexec-brute](https://nmap.org/nsedoc/scripts/rexec-brute.html) + + ``` + nmap -p 512 --script rexec-brute 127.0.0.1 + + Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 21:23 EDT + Nmap scan report for localhost (127.0.0.1) + Host is up (0.000037s latency). + PORT STATE SERVICE + 512/tcp open exec + | rexec-brute: + | Accounts: + | test:test - Valid credentials + |_ Statistics: Performed 7085940 guesses in 629 seconds, average tps: 9231.6 + ``` \ No newline at end of file From 4c40c6289e23a3f9dc536a8cc73394e1bbc3733a Mon Sep 17 00:00:00 2001 From: h00die Date: Thu, 11 May 2017 20:22:44 -0400 Subject: [PATCH 2/3] add rlogin and rsh --- .../scanner/rservices/rlogin_login.md | 68 +++++++++++++++++++ .../auxiliary/scanner/rservices/rsh_login.md | 55 +++++++++++++++ 2 files changed, 123 insertions(+) create mode 100644 documentation/modules/auxiliary/scanner/rservices/rlogin_login.md create mode 100644 documentation/modules/auxiliary/scanner/rservices/rsh_login.md diff --git a/documentation/modules/auxiliary/scanner/rservices/rlogin_login.md b/documentation/modules/auxiliary/scanner/rservices/rlogin_login.md new file mode 100644 index 000000000000..ca9f39f32928 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/rservices/rlogin_login.md @@ -0,0 +1,68 @@ +## Vulnerable Application + +The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s. +These services are all but unused in modern computing, as they have been replace by telnet and ssh. + +The following was done on Kali linux: + + 1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`. + 2. Start the service: `service openbsd-inetd start` + +## Verification Steps + + 1. Install and configure rexec + 2. Start msfconsole + 3. Do: `use auxiliary/scanner/rservices/rlogin_login` + 4. Do: `set rhosts` + 5. Set any other credentials that will need to be set + 6. Do: `run` + +## Scenarios + + A run against the configuration from these docs + + ``` + msf > use auxiliary/scanner/rservices/rlogin_login + msf auxiliary(rlogin_login) > set rhosts 10.1.2.3 + rhosts => 10.1.2.3 + msf auxiliary(rlogin_login) > set password test + password => test + msf auxiliary(rlogin_login) > set username test + username => test + msf auxiliary(rlogin_login) > run + + [*] 10.1.2.3:513 - 10.1.2.3:513 - Starting rlogin sweep + [*] 10.1.2.3:513 - 10.1.2.3:513 - Attempting: 'test':"test" from 'root' + [*] 10.1.2.3:513 - 10.1.2.3:513 - Prompt: Password: + [*] 10.1.2.3:513 - 10.1.2.3:513 - Result: The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. + [+] 10.1.2.3:513 - 10.1.2.3:513, rlogin 'test' successful with password "test" + [!] 10.1.2.3:513 - *** auxiliary/scanner/rservices/rlogin_login is still calling the deprecated report_auth_info method! This needs to be updated! + [!] 10.1.2.3:513 - *** For detailed information about LoginScanners and the Credentials objects see: + [!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners + [!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module + [!] 10.1.2.3:513 - *** For examples of modules converted to just report credentials without report_auth_info, see: + [!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/pull/5376 + [!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/pull/5377 + [*] Command shell session 1 opened (10.1.2.3:1023 -> 10.1.2.3:513) at 2017-05-11 20:04:24 -0400 + [*] Scanned 1 of 1 hosts (100% complete) + [*] Auxiliary module execution completed + ``` + +## Confirming using NMAP + +Utilizing [rlogin-brute](https://nmap.org/nsedoc/scripts/rlogin-brute.html) + + ``` + nmap -p 513 --script rlogin-brute 10.1.2.3 + + Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-11 20:07 EDT + Nmap scan report for test (10.1.2.3) + Host is up (0.000039s latency). + PORT STATE SERVICE + 513/tcp open login + | rlogin-brute: + | Accounts: No valid accounts found + |_ Statistics: Performed 6662201 guesses in 609 seconds, average tps: 10491.0 + + Nmap done: 1 IP address (1 host up) scanned in 608.75 seconds + ``` \ No newline at end of file diff --git a/documentation/modules/auxiliary/scanner/rservices/rsh_login.md b/documentation/modules/auxiliary/scanner/rservices/rsh_login.md new file mode 100644 index 000000000000..84ccc976b580 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/rservices/rsh_login.md @@ -0,0 +1,55 @@ +## Vulnerable Application + +The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s. +These services are all but unused in modern computing, as they have been replace by telnet and ssh. + +`rsh` relies on host names as a security mechanism. Utilizing `+` can wildcard so any computer can connect. In the following +config, we'll utilize that wildcarded setting to simplify our exploitation. This is a glaring security issue!!! + +If you encounter `Host address mismatch for `..., you may need to adjust your `/etc/hosts` file accordingly. + +The following was done on Kali linux: + + 1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`. + 2. ```echo "+" > ~/.rhosts``` + 3. Start the service: `service openbsd-inetd start` + +## Verification Steps + + 1. Install and configure rexec + 2. Start msfconsole + 3. Do: `use auxiliary/scanner/rservices/rsh_login` + 4. Do: `set rhosts` + 5. Set any other credentials that will need to be set + 6. Do: `run` + +## Scenarios + + A run against the configuration from these docs + + ``` + msf > use auxiliary/scanner/rservices/rsh_login + msf auxiliary(rsh_login) > set rhosts 10.1.2.3 + rhosts => 10.1.2.3 + msf auxiliary(rsh_login) > set username root + username => root + msf auxiliary(rsh_login) > run + + [*] 10.1.2.3:514 - 10.1.2.3:514 - Starting rsh sweep + [*] 10.1.2.3:514 - 10.1.2.3:514 - Attempting rsh with username 'root' from 'root' + [+] 10.1.2.3:514 - 10.1.2.3:514, rsh 'root' from 'root' with no password. + [!] 10.1.2.3:514 - *** auxiliary/scanner/rservices/rsh_login is still calling the deprecated report_auth_info method! This needs to be updated! + [!] 10.1.2.3:514 - *** For detailed information about LoginScanners and the Credentials objects see: + [!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners + [!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module + [!] 10.1.2.3:514 - *** For examples of modules converted to just report credentials without report_auth_info, see: + [!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/pull/5376 + [!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/pull/5377 + [*] Command shell session 1 opened (10.1.2.3:1023 -> 10.1.2.3:514) at 2017-05-11 19:56:46 -0400 + [*] Scanned 1 of 1 hosts (100% complete) + [*] Auxiliary module execution completed + ``` + +## Confirming + +At the time of writing this, there was no `nmap` script equivalent. Most modern systems have also replaced `rsh` with `ssh`. \ No newline at end of file From fb236df18f74869778d491bddd4bb72feae8f86c Mon Sep 17 00:00:00 2001 From: h00die Date: Fri, 12 May 2017 19:15:00 -0400 Subject: [PATCH 3/3] added AIX reference --- .../modules/auxiliary/scanner/rservices/rsh_login.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/documentation/modules/auxiliary/scanner/rservices/rsh_login.md b/documentation/modules/auxiliary/scanner/rservices/rsh_login.md index 84ccc976b580..a9c14a5a1dc5 100644 --- a/documentation/modules/auxiliary/scanner/rservices/rsh_login.md +++ b/documentation/modules/auxiliary/scanner/rservices/rsh_login.md @@ -4,7 +4,9 @@ The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote com These services are all but unused in modern computing, as they have been replace by telnet and ssh. `rsh` relies on host names as a security mechanism. Utilizing `+` can wildcard so any computer can connect. In the following -config, we'll utilize that wildcarded setting to simplify our exploitation. This is a glaring security issue!!! +config, we'll utilize that wildcarded setting to simplify our exploitation. **This is a glaring security issue!!!** +However, there are exceptions to this in proprietary Unix systems which may include other mechanisms such as Kerberos +([AIX](https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.cmds4/rsh.htm)) If you encounter `Host address mismatch for `..., you may need to adjust your `/etc/hosts` file accordingly. @@ -52,4 +54,4 @@ The following was done on Kali linux: ## Confirming -At the time of writing this, there was no `nmap` script equivalent. Most modern systems have also replaced `rsh` with `ssh`. \ No newline at end of file +At the time of writing this, there was no `nmap` script equivalent. Most modern systems have also replaced `rsh` with `ssh`.