search

golismero / golismero

GoLismero - The Web Knife
http://golismero.com/
GNU General Public License v2.0
861 stars 267 forks source link

Metasploit Support #43

Open devcoinfet opened 6 years ago

devcoinfet commented 6 years ago

Hey guys I was thinking of playing around with some Metasploit support, does anyone have any ideas on what type of integration We want to start off with? are We thinking version Scanners or are We talking full Metasploit pwnage via Python from the output of the Nmap scan?

I figured I'd ask for some guidance on the best course of attack for this design for first draft code design to submit to you guys.

MarioVilas commented 6 years ago

The easiest way to integrate Metasploit would be a plugin that receives port scan results, consults Metasploit to see which exploits can be launched against the discovered services, and launch them. The plugin should probably not try to launch Metasploit by itself but instead connect to an already running instance, but this could maybe be configurable.

devcoinfet commented 6 years ago

Ok perfect I have a few ideas. but I think it may be prudent to use a version string and match some modules to the specific service and there is pymetasploit I can utilize.

devcoinfet commented 6 years ago

Ok, well I have some code working going into the process of determining vulnerabilities etc, what I'd like to know is do You want to start with a subset of basic exploits? meaning like a dictionary of exploits and match that loosely to the banner and OS and pass off to pymetasploit for Exploitation. I kept it class based as its my first real stab at something this extreme I'll take My time. I was just wondering if You want to do Hail Mary style via Pymetasploit or allow the User to interact or just hammer away at a predifined subset of Exploits.

devcoinfet commented 6 years ago

ya I have some nmap code I have been working on that triggers a positive result for proftpd exploit via nmap and my code now I just need to use pymetasploit to connect it like this

this i a rough draft of how i want to call it after this

[code] if "ProFTPD version: 1.3.5b" in ban: print("Down The Rabbit Hole Neo Blue Bill or Red Pill") print("Exploit Detected Entering Attack Phase") try:

self.metasploit_pwn(ip,'exploit/unix/ftp/proftpd_modcopy_exec','pass!') except: pass [/code]

not the best but for just today I'm not upset and I'm new as hell to classes for python I usually don't need them

I plan to return each positive port and banner for each ip to a custom dictionary so We can iterate over the results and create a filter for the modules here

exploit_count = len(client.modules.exploits)

so We could easily code a basic string regex for Banners and do a Hail Mary

On Mon, Feb 12, 2018 at 4:33 AM, Mario Vilas notifications@github.com wrote:

The easiest way to integrate Metasploit would be a plugin that receives port scan results, consults Metasploit to see which exploits can be launched against the discovered services, and launch them. The plugin should probably not try to launch Metasploit by itself but instead connect to an already running instance, but this could maybe be configurable.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/golismero/golismero/issues/43#issuecomment-364910018, or mute the thread https://github.com/notifications/unsubscribe-auth/AhJZgVzYjojFXkW9L1wO6Nd5-alxb5cxks5tUC-jgaJpZM4SBrDW .

MarioVilas commented 6 years ago

You can't really interact with the user from a plugin, because they all run in parallel in the background. It needs to be automated and all user decisions pre-defined via configuration.

As for having to code an if statement for each exploit, shouldn't there be a more generic approach? You don't want to have to patch the plugin code every time a new exploit comes out. The plugin should be smart enough to get the list of exploits and match them to their respective services. (It can be a little "less" smart and just match by service type; for example, you can try all FTP exploits in succession against an open 21 port, regardless of the server banner, which can be fake anyway).

I would also advice against using "except: pass" since when you do there's no way for Golismero to tell something went wrong in the exploit.

devcoinfet commented 6 years ago

ok understood I'm running into an issue I have got allot more done but as I'm Launching my exploit or trying to for a ctf iso in ova format its the CTF_2017 one from vulnhub and it appears to have the proftpd Exploit available which is My first test than yes by port I will be setting a basic Hail Mary

https://github.com/allfro/pymetasploit/issues/6

I cant seem to get past this otherwise in the interpreter it works ok but If I fix this I'll be ready to get this rolling

On Tue, Feb 13, 2018 at 2:21 AM, Mario Vilas notifications@github.com wrote:

You can't really interact with the user from a plugin, because they all run in parallel in the background. It needs to be automated and all user decisions pre-defined via configuration.

As for having to code an if statement for each exploit, shouldn't there be a more generic approach? You don't want to have to patch the plugin code every time a new exploit comes out. The plugin should be smart enough to get the list of exploits and match them to their respective services. (It can be a little "less" smart and just match by service type; for example, you can try all FTP exploits in succession against an open 21 port, regardless of the server banner, which can be fake anyway).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/golismero/golismero/issues/43#issuecomment-365219159, or mute the thread https://github.com/notifications/unsubscribe-auth/AhJZgd5vki8v-2Ms2t2kZi4623k3hsAjks5tUWJEgaJpZM4SBrDW .

as soon as I get this working on the base version I'll fix it and put way better error handling in for You I just really want to get this a basic version working and build off it You will like what I have made give me a few days if I can manage to get this pymetasploit error fixed ill be golden

devcoinfet commented 6 years ago

OK small update I do have a very skeleton like design working but this version is going to require shelling another term which can be done by just using xterm or such and have dual windows this is coded off the base to autosploit and is using nmap to do port and service detection via classes and passes the object to the metasploit helper that will fire off exploits for each matched vuln i'll email You a private build in a few Days once I get it fixed up

MarioVilas commented 6 years ago

The Golismero plugin should just connect to an existing Metasploit instance. It's best if you don't try to open new shell windows and stuff like that.

devcoinfet commented 6 years ago

well unfortunately at this time pymetasploit is not working on any git I pull I can modify my codebase at any time once I hear from admin on a fix as it stands I'm working the detection library and its not 100% that I'll need to pipe a new window just for my basic test I'm doing so like he did I'm not dead set on a merge just yet so dont fear well all as a community figure this out.

On Wed, Feb 14, 2018 at 3:27 AM, Mario Vilas notifications@github.com wrote:

The Golismero plugin should just connect to an existing Metasploit instance. It's best if you don't try to open new shell windows and stuff like that.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/golismero/golismero/issues/43#issuecomment-365575069, or mute the thread https://github.com/notifications/unsubscribe-auth/AhJZgf3idIS-Q0x-rUDUNejva26JIL4-ks5tUsM3gaJpZM4SBrDW .

MarioVilas commented 6 years ago

Never used pymetasploit to be honest. I did automate Metasploit several years ago just connecting directly to the REST API, so there is always that.

devcoinfet commented 6 years ago

well I have gotten this to work look at my output from the tool what I'm doing is taking an nmap xml file as input I create a dictionary for each Host as I pass through and it adds them all to a list so a list of dicts :) scan_data = {'Host':ip,'Port':port,'Banner':clean_banner} Host_Data.append(scan_data) so doing this I can have all that data to crunch further I'm thinking of also passing in the os into my dict so I can narrow the exploit list down by platform type before service! and than for each Service it will pass of control to the module sort function I modified and it will return all exploits relevant to that service

Detected:proftp

use exploit/unix/ftp/proftpd_133c_backdoor;exploit -j;

Detected:proftp

use exploit/linux/ftp/proftp_sreplace;exploit -j;

Detected:apache

use exploit/windows/http/apache_mod_rewrite_ldap;exploit -j;

Detected:apache

use exploit/multi/http/apache_activemq_upload_jsp;exploit -j;

this is a huge skeletal rough draft nothing is set in stone but I like the fine tuned seraching I can do like this

for hosts in Host_Data: banners = sort_modules(hosts['Banner'][0:8].lower().replace(" ", "")) for matched_exploit in banners: print matched_exploit +"\n" On Wed, Feb 14, 2018 at 4:42 AM, Mario Vilas notifications@github.com wrote:

Never used pymetasploit to be honest. I did automate Metasploit several years ago just connecting directly to the REST API, so there is always that.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/golismero/golismero/issues/43#issuecomment-365595937, or mute the thread https://github.com/notifications/unsubscribe-auth/AhJZgQCFOsq6PQhAVNGw0hF3RzuuF6Jxks5tUtTDgaJpZM4SBrDW .

devcoinfet commented 6 years ago

and the reason I had to do that to the service string is I noticed that proftp triggered 2 results while proftpd found 1 and the full banner found nothing. So I decided that is enough to detect at least proftp constantly and reliably pull all the modules

MarioVilas commented 6 years ago

Golismero already gives you the port scan data, you don't need to parse xml files. :)

devcoinfet commented 6 years ago

well for what I am doing I disagree golismero I doubt is doing the same thing I am with this maybe after You see my work we can decide if theres a better way but to start getting a working program I had to start with what I know and honestly golismero was hard as hell to trace the code so to start I did it this way give Me just a few days and ill release it to My Github and You can critique it and I'll see if there's built in methods inside of golismero that can do what I'm doing.

On Wed, Feb 14, 2018 at 6:47 AM, Mario Vilas notifications@github.com wrote:

Golismero already gives you the port scan data, you don't need to parse xml files. :)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/golismero/golismero/issues/43#issuecomment-365629048, or mute the thread https://github.com/notifications/unsubscribe-auth/AhJZgUnHhSxcx_Lfp57QLwWQ5xluyC2fks5tUvHtgaJpZM4SBrDW .

devcoinfet commented 6 years ago

def main(): load_modules() report = NmapParser.parse_fromfile(input_file) report_parser2(report) local_port = getfreeport() for hosts in Host_Data:

setup exploits based off the os or try to

    ostype = str(hosts['operating_system'])
    if "linux" in ostype:
        print "linux Detected loading correct exploits" + "\n"
        os_banners = sort_modules_os('linux')
        sorted_soft_banners =

sort_modules(hosts['Banner'][0:8].lower().replace(" ", "").rstrip()) for banner in os_banners: print banner print "\n"

    if "windows" in ostype:
         print "windows Detected loading correct exploits" + "\n"
         os_banners = sort_modules_os('windows')
         for banner in os_banners:
             print banner
             print "\n"

    if "unix" in ostype:
         print "unix Detected loading correct exploits" + "\n"
         os_banners = sort_modules_os('unix')
         for banner in os_banners:
             print banner
             print "\n"

does golismero support this type of handling if so let me know ill retool it as soon as My idea is fully working

On Wed, Feb 14, 2018 at 3:42 AM, Wabefet Hacker wabefet@gmail.com wrote:

well unfortunately at this time pymetasploit is not working on any git i pull i can modify my codebase at any time once I hear from admin on a fix as it stands I'm working the detection library and its not 100% that I'll need to pipe a new window just for my basic test I'm doing so like he did I'm not dead set on a merge just yet so dont fear well all as a community figure this out.

On Wed, Feb 14, 2018 at 3:27 AM, Mario Vilas notifications@github.com wrote:

The Golismero plugin should just connect to an existing Metasploit instance. It's best if you don't try to open new shell windows and stuff like that.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/golismero/golismero/issues/43#issuecomment-365575069, or mute the thread https://github.com/notifications/unsubscribe-auth/AhJZgf3idIS-Q0x-rUDUNejva26JIL4-ks5tUsM3gaJpZM4SBrDW .

devcoinfet commented 6 years ago

can you show me what You mean about golismero with provided data please maybe it will be better if I had a little help mind You i'm just a hobby Coder No where near as good as You guys nor do I do this as a job lol this is for fun

On Wed, Feb 14, 2018 at 7:03 AM, Wabefet Hacker wabefet@gmail.com wrote:

def main(): load_modules() report = NmapParser.parse_fromfile(input_file) report_parser2(report) local_port = getfreeport() for hosts in Host_Data:

setup exploits based off the os or try to

    ostype = str(hosts['operating_system'])
    if "linux" in ostype:
        print "linux Detected loading correct exploits" + "\n"
        os_banners = sort_modules_os('linux')
        sorted_soft_banners = sort_modules(hosts['Banner'][0:8].lower().replace("

", "").rstrip()) for banner in os_banners: print banner print "\n"

    if "windows" in ostype:
         print "windows Detected loading correct exploits" + "\n"
         os_banners = sort_modules_os('windows')
         for banner in os_banners:
             print banner
             print "\n"

    if "unix" in ostype:
         print "unix Detected loading correct exploits" + "\n"
         os_banners = sort_modules_os('unix')
         for banner in os_banners:
             print banner
             print "\n"

does golismero support this type of handling if so let me know ill retool it as soon as My idea is fully working

On Wed, Feb 14, 2018 at 3:42 AM, Wabefet Hacker wabefet@gmail.com wrote:

well unfortunately at this time pymetasploit is not working on any git i pull i can modify my codebase at any time once I hear from admin on a fix as it stands I'm working the detection library and its not 100% that I'll need to pipe a new window just for my basic test I'm doing so like he did I'm not dead set on a merge just yet so dont fear well all as a community figure this out.

On Wed, Feb 14, 2018 at 3:27 AM, Mario Vilas notifications@github.com wrote:

The Golismero plugin should just connect to an existing Metasploit instance. It's best if you don't try to open new shell windows and stuff like that.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/golismero/golismero/issues/43#issuecomment-365575069, or mute the thread https://github.com/notifications/unsubscribe-auth/AhJZgf3idIS-Q0x-rUDUNejva26JIL4-ks5tUsM3gaJpZM4SBrDW .

MarioVilas commented 6 years ago

We used to do this for fun too :) that's why we currently cannot code on it anymore and are only maintaining the code. We need folks like you to contribute patches! :)

This is the code to the nmap plugin: https://github.com/golismero/golismero/blob/master/plugins/testing/scan/nmap.py

It produces objects of types Portscan and ServiceFingerprint. You can make the Metasploit plugin just receive those data types and work with them, and Golismero should automatically figure out what you're trying to do and feed you the nmap data on its own.

https://github.com/golismero/golismero/blob/master/golismero/api/data/information/portscan.py

https://github.com/golismero/golismero/blob/master/golismero/api/data/information/fingerprint.py

This should save you a ton of work!

devcoinfet commented 6 years ago

well after listening to what You said I managed to find a chinese writeup on pymsfrpc using spiderlabs over msfrpc and figured out how to gen a password and now have made the module use no other windows

by the next few days I should have a working version as well as hopefully time to look into Your suggestion on using golismero core

On Wed, Feb 14, 2018 at 8:13 AM, Mario Vilas notifications@github.com wrote:

We used to do this for fun too :) that's why we currently cannot code on it anymore and are only maintaining the code. We need folks like you to contribute patches! :)

This is the code to the nmap plugin: https://github.com/golismero/ golismero/blob/master/plugins/testing/scan/nmap.py

It produces objects of types Portscan and ServiceFingerprint. You can make the Metasploit plugin just receive those data types and work with them, and Golismero should automatically figure out what you're trying to do and feed you the nmap data on its own.

https://github.com/golismero/golismero/blob/master/golismero/api/data/ information/portscan.py

https://github.com/golismero/golismero/blob/master/golismero/api/data/ information/fingerprint.py

This should save you a ton of work!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/golismero/golismero/issues/43#issuecomment-365657551, or mute the thread https://github.com/notifications/unsubscribe-auth/AhJZgfqLe_HAa_LDwPBoDUzDZW3U3Or5ks5tUwYngaJpZM4SBrDW .