search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.78k stars 13.9k forks source link

Starting the RPC Server for the Metasploit Framework Using MSGRPC (create constant user) #18165

Closed vladimircape closed 1 year ago

vladimircape commented 1 year ago

Hi, i didn't find the answer for such question. I am creating Python script which by API use Metasploit, and each start of msgrpc i need to create new user,

msgrpc plugin to start an instance of the server
msf6 > load msgrpc User = msf Pass = password[*]
[*] MSGRPC Service:  127.0.0.1:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: AOO0s5aJ
[*] Successfully loaded plugin: msgrpc

How and is it possible to create constant user, and not create such user all the time I know that it's also possible by this

msf > load msgrpc ServerHost=192.168.1.0 ServerPort=55553 User=user Pass='pass123'

but is it possible to do this without starting console or smth else. I need it automatically not manual i tried msfrpcd -U <username> -P <username> -f but without success

C:\metasploit-framework\bin>msfrpcd -U user -P pass123 -f -p 55552 -a 127.0.0.1
c:/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/rex-core-0.1.31/lib/rex/compat.rb:381: warning: Win32API is deprecated after Ruby 1.9.1; use fiddle directly instead
[*] MSGRPC starting on 127.0.0.1:55552 (SSL):Msg...
[*] MSGRPC ready at 2023-07-05 12:24:35 +0300.
bcoles commented 1 year ago

but is it possible to do this without starting console or smth else. I need it automatically not manual i tried msfrpcd -U <username> -P <username> -f but without success

This is the correct approach and works for me (on Kali).

# ./msfrpcd -U asdf -P password 
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
/usr/lib/x86_64-linux-gnu/ruby/3.1.0/stringio.so: warning: already initialized constant StringIO::VERSION
[*] MSGRPC starting on 0.0.0.0:55553 (SSL):Msg...
[*] MSGRPC backgrounding at 2023-07-05 05:31:34 -0400...
[*] MSGRPC background PID 228288
# ./msfrpc -U asdf -P password -a 127.0.0.1
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
/usr/lib/x86_64-linux-gnu/ruby/3.1.0/stringio.so: warning: already initialized constant StringIO::VERSION
[*] The 'rpc' object holds the RPC client interface
[*] Use rpc.call('group.command') to make RPC calls

>> rpc
=> 
#<Msf::RPC::Client:0x00007fca2de26fb8
 @cli=
  #<Rex::Proto::Http::Client:0x00007fca2de09a80
   @comm=nil,
   @config=
    {"agent"=>"Mozilla/5.0 (iPad; CPU OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1",
     "cgi"=>true,
     "cookie"=>nil,
     "data"=>"",
     "headers"=>nil,
     "raw_headers"=>"",
     "method"=>"GET",
     "partial"=>false,
     "path_info"=>"",
     "port"=>80,
     "proto"=>"HTTP",
     "query"=>"",
     "ssl"=>false,
     "uri"=>"/",
     "vars_get"=>{},
     "vars_post"=>{},
     "vars_form_data"=>[],
     "version"=>"1.1",
     "vhost"=>"127.0.0.1",
     "ssl_server_name_indication"=>"127.0.0.1",
     "encode_params"=>true,
     "encode"=>false,
     "uri_encode_mode"=>"hex-normal",
     "uri_encode_count"=>1,
     "uri_full_url"=>false,
     "pad_method_uri_count"=>1,
     "pad_uri_version_count"=>1,
     "pad_method_uri_type"=>"space",
     "pad_uri_version_type"=>"space",
     "method_random_valid"=>false,
     "method_random_invalid"=>false,
     "method_random_case"=>false,
     "version_random_valid"=>false,
     "version_random_invalid"=>false,
     "uri_dir_self_reference"=>false,
     "uri_dir_fake_relative"=>false,
     "uri_use_backslashes"=>false,
     "pad_fake_headers"=>false,
     "pad_fake_headers_count"=>16,
     "pad_get_params"=>false,
     "pad_get_params_count"=>8,
     "pad_post_params"=>false,
     "pad_post_params_count"=>8,
     "uri_fake_end"=>false,
     "uri_fake_params_start"=>false,
     "shuffle_get_params"=>false,
     "shuffle_post_params"=>false,
     "header_folding"=>false,
     "chunked_size"=>0,
     "usentlm2_session"=>true,
     "use_ntlmv2"=>true,
     "send_lm"=>true,
     "send_ntlm"=>true,
     "SendSPN"=>true,
     "UseLMKey"=>false,
     "domain"=>"WORKSTATION",
     "DigestAuthIIS"=>true,
     "read_max_data"=>1048576,
     :vhost=>"127.0.0.1",
     :agent=>"Metasploit RPC Client/1.0",
     :read_max_data=>536870912},
   @config_types=
    {"uri_encode_mode"=>["hex-normal", "hex-all", "hex-random", "hex-noslashes", "u-normal", "u-random", "u-all"],
     "uri_encode_count"=>"integer",
     "uri_full_url"=>"bool",
     "pad_method_uri_count"=>"integer",
     "pad_uri_version_count"=>"integer",
     "pad_method_uri_type"=>["space", "tab", "apache"],
     "pad_uri_version_type"=>["space", "tab", "apache"],
     "method_random_valid"=>"bool",
     "method_random_invalid"=>"bool",
     "method_random_case"=>"bool",
     "version_random_valid"=>"bool",
     "version_random_invalid"=>"bool",
     "uri_dir_self_reference"=>"bool",
     "uri_dir_fake_relative"=>"bool",
     "uri_use_backslashes"=>"bool",
     "pad_fake_headers"=>"bool",
     "pad_fake_headers_count"=>"integer",
     "pad_get_params"=>"bool",
     "pad_get_params_count"=>"integer",
     "pad_post_params"=>"bool",
     "pad_post_params_count"=>"integer",
     "shuffle_get_params"=>"bool",
     "shuffle_post_params"=>"bool",
     "uri_fake_end"=>"bool",
     "uri_fake_params_start"=>"bool",
     "header_folding"=>"bool",
     "chunked_size"=>"integer",
     "partial"=>"bool"},
   @conn=nil,
   @context={},
   @hostname="127.0.0.1",
   @kerberos_authenticator=nil,
   @ntlm_client=nil,
   @password="",
   @pipeline=false,
   @port=55553,
   @proxies=nil,
   @ssl=true,
   @ssl_version="TLS1.2",
   @subscriber=#<Rex::Proto::Http::HttpSubscriber:0x00007fca2de0fd68>,
   @username="">,
 @info={:host=>"127.0.0.1", :port=>55553, :uri=>"/api/", :ssl=>true, :ssl_version=>"TLS1.2", :context=>{}},
 @pass="password",
 @token="TEMPOGnpFTmLPxWhJabcvUsT2MDWse9L",
 @user="asdf">
>>
vladimircape commented 1 year ago

but is it possible to do this without starting console or smth else. I need it automatically not manual i tried msfrpcd -U <username> -P <username> -f but without success

This is the correct approach and works for me (on Kali).

# ./msfrpcd -U asdf -P password 
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
/usr/lib/x86_64-linux-gnu/ruby/3.1.0/stringio.so: warning: already initialized constant StringIO::VERSION
[*] MSGRPC starting on 0.0.0.0:55553 (SSL):Msg...
[*] MSGRPC backgrounding at 2023-07-05 05:31:34 -0400...
[*] MSGRPC background PID 228288
# ./msfrpc -U asdf -P password -a 127.0.0.1
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
/usr/lib/x86_64-linux-gnu/ruby/3.1.0/stringio.so: warning: already initialized constant StringIO::VERSION
[*] The 'rpc' object holds the RPC client interface
[*] Use rpc.call('group.command') to make RPC calls

>> rpc
=> 
#<Msf::RPC::Client:0x00007fca2de26fb8
 @cli=
  #<Rex::Proto::Http::Client:0x00007fca2de09a80
   @comm=nil,
   @config=
    {"agent"=>"Mozilla/5.0 (iPad; CPU OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1",
     "cgi"=>true,
     "cookie"=>nil,
     "data"=>"",
     "headers"=>nil,
     "raw_headers"=>"",
     "method"=>"GET",
     "partial"=>false,
     "path_info"=>"",
     "port"=>80,
     "proto"=>"HTTP",
     "query"=>"",
     "ssl"=>false,
     "uri"=>"/",
     "vars_get"=>{},
     "vars_post"=>{},
     "vars_form_data"=>[],
     "version"=>"1.1",
     "vhost"=>"127.0.0.1",
     "ssl_server_name_indication"=>"127.0.0.1",
     "encode_params"=>true,
     "encode"=>false,
     "uri_encode_mode"=>"hex-normal",
     "uri_encode_count"=>1,
     "uri_full_url"=>false,
     "pad_method_uri_count"=>1,
     "pad_uri_version_count"=>1,
     "pad_method_uri_type"=>"space",
     "pad_uri_version_type"=>"space",
     "method_random_valid"=>false,
     "method_random_invalid"=>false,
     "method_random_case"=>false,
     "version_random_valid"=>false,
     "version_random_invalid"=>false,
     "uri_dir_self_reference"=>false,
     "uri_dir_fake_relative"=>false,
     "uri_use_backslashes"=>false,
     "pad_fake_headers"=>false,
     "pad_fake_headers_count"=>16,
     "pad_get_params"=>false,
     "pad_get_params_count"=>8,
     "pad_post_params"=>false,
     "pad_post_params_count"=>8,
     "uri_fake_end"=>false,
     "uri_fake_params_start"=>false,
     "shuffle_get_params"=>false,
     "shuffle_post_params"=>false,
     "header_folding"=>false,
     "chunked_size"=>0,
     "usentlm2_session"=>true,
     "use_ntlmv2"=>true,
     "send_lm"=>true,
     "send_ntlm"=>true,
     "SendSPN"=>true,
     "UseLMKey"=>false,
     "domain"=>"WORKSTATION",
     "DigestAuthIIS"=>true,
     "read_max_data"=>1048576,
     :vhost=>"127.0.0.1",
     :agent=>"Metasploit RPC Client/1.0",
     :read_max_data=>536870912},
   @config_types=
    {"uri_encode_mode"=>["hex-normal", "hex-all", "hex-random", "hex-noslashes", "u-normal", "u-random", "u-all"],
     "uri_encode_count"=>"integer",
     "uri_full_url"=>"bool",
     "pad_method_uri_count"=>"integer",
     "pad_uri_version_count"=>"integer",
     "pad_method_uri_type"=>["space", "tab", "apache"],
     "pad_uri_version_type"=>["space", "tab", "apache"],
     "method_random_valid"=>"bool",
     "method_random_invalid"=>"bool",
     "method_random_case"=>"bool",
     "version_random_valid"=>"bool",
     "version_random_invalid"=>"bool",
     "uri_dir_self_reference"=>"bool",
     "uri_dir_fake_relative"=>"bool",
     "uri_use_backslashes"=>"bool",
     "pad_fake_headers"=>"bool",
     "pad_fake_headers_count"=>"integer",
     "pad_get_params"=>"bool",
     "pad_get_params_count"=>"integer",
     "pad_post_params"=>"bool",
     "pad_post_params_count"=>"integer",
     "shuffle_get_params"=>"bool",
     "shuffle_post_params"=>"bool",
     "uri_fake_end"=>"bool",
     "uri_fake_params_start"=>"bool",
     "header_folding"=>"bool",
     "chunked_size"=>"integer",
     "partial"=>"bool"},
   @conn=nil,
   @context={},
   @hostname="127.0.0.1",
   @kerberos_authenticator=nil,
   @ntlm_client=nil,
   @password="",
   @pipeline=false,
   @port=55553,
   @proxies=nil,
   @ssl=true,
   @ssl_version="TLS1.2",
   @subscriber=#<Rex::Proto::Http::HttpSubscriber:0x00007fca2de0fd68>,
   @username="">,
 @info={:host=>"127.0.0.1", :port=>55553, :uri=>"/api/", :ssl=>true, :ssl_version=>"TLS1.2", :context=>{}},
 @pass="password",
 @token="TEMPOGnpFTmLPxWhJabcvUsT2MDWse9L",
 @user="asdf">
>>

It's also work with me but when i tried it by python ,i got error


[!] 1/3 Retry "auth.login" call. reason: [Errno 104] Connection reset by peer
[!] 2/3 Retry "auth.login" call. reason: [Errno 104] Connection reset by peer
[!] type:<class 'ConnectionResetError'>
[!] args:(104, 'Connection reset by peer')
[!] [Errno 104] Connection reset by peer
[!] Retry count is over.

Code

# Log in to RPC Server.
    def login(self, user, password):
        ret = self.call('auth.login', [user, password])
        try:
            if ret.get(b'result') == b'success':
                self.authenticated = True
                self.token = ret.get(b'token')
                return True
            else:
                self.util.print_message(FAIL, 'MsfRPC: Authentication failed.')
                exit(1)
        except Exception as e:
            self.util.print_exception(e, 'Failed: auth.login')
            exit(1)

when i directly create user from console, everythin is working

vladimircape commented 1 year ago

find possible such solution https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scripting-metasploit-using-msgrpc/

dwelch-r7 commented 1 year ago

Seems like you've found a workaround @vladimircape will close this issue out