Skip to content

Commit 8be51bb

Browse files
author
Brent Cook
committed
Land rapid7#8372, rservice documentation
2 parents f39e378 + fb236df commit 8be51bb

File tree

3 files changed

+187
-0
lines changed

3 files changed

+187
-0
lines changed

documentation/modules/auxiliary/scanner/rservices/rexec_login.md

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
## Vulnerable Application
2+
3+
The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s.
4+
These services are all but unused in modern computing, as they have been replace by telnet and ssh.
5+
6+
The following was done on Kali linux:
7+
8+
1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`.
9+
2. Start the service: `service openbsd-inetd start`
10+
11+
## Verification Steps
12+
13+
1. Install and configure rexec
14+
2. Start msfconsole
15+
3. Do: `use auxiliary/scanner/rservices/rexec_login`
16+
4. Do: `set rhosts`
17+
5. Set any other credentials that will need to be set
18+
6. Do: `run`
19+
20+
## Scenarios
21+
22+
A run against the configuration from these docs
23+
24+
```
25+
msf > use auxiliary/scanner/rservices/rexec_login
26+
msf auxiliary(rexec_login) > set username test
27+
username => test
28+
msf auxiliary(rexec_login) > set password 'test'
29+
password => test
30+
msf auxiliary(rexec_login) > run
31+
32+
[*] 127.0.0.1:512 - 127.0.0.1:512 - Starting rexec sweep
33+
[+] 127.0.0.1:512 - 127.0.0.1:512, rexec 'test' : 'test'
34+
[!] 127.0.0.1:512 - *** auxiliary/scanner/rservices/rexec_login is still calling the deprecated report_auth_info method! This needs to be updated!
35+
[!] 127.0.0.1:512 - *** For detailed information about LoginScanners and the Credentials objects see:
36+
[!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
37+
[!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
38+
[!] 127.0.0.1:512 - *** For examples of modules converted to just report credentials without report_auth_info, see:
39+
[!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/pull/5376
40+
[!] 127.0.0.1:512 - https://github.com/rapid7/metasploit-framework/pull/5377
41+
[*] Command shell session 2 opened (127.0.0.1:37489 -> 127.0.0.1:512) at 2017-04-27 20:56:54 -0400
42+
[*] Scanned 1 of 1 hosts (100% complete)
43+
[*] Auxiliary module execution completed
44+
```
45+
46+
## Confirming using NMAP
47+
48+
Utilizing [rexec-brute](https://nmap.org/nsedoc/scripts/rexec-brute.html)
49+
50+
```
51+
nmap -p 512 --script rexec-brute 127.0.0.1
52+
53+
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 21:23 EDT
54+
Nmap scan report for localhost (127.0.0.1)
55+
Host is up (0.000037s latency).
56+
PORT STATE SERVICE
57+
512/tcp open exec
58+
| rexec-brute:
59+
| Accounts:
60+
| test:test - Valid credentials
61+
|_ Statistics: Performed 7085940 guesses in 629 seconds, average tps: 9231.6
62+
```

documentation/modules/auxiliary/scanner/rservices/rlogin_login.md

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
## Vulnerable Application
2+
3+
The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s.
4+
These services are all but unused in modern computing, as they have been replace by telnet and ssh.
5+
6+
The following was done on Kali linux:
7+
8+
1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`.
9+
2. Start the service: `service openbsd-inetd start`
10+
11+
## Verification Steps
12+
13+
1. Install and configure rexec
14+
2. Start msfconsole
15+
3. Do: `use auxiliary/scanner/rservices/rlogin_login`
16+
4. Do: `set rhosts`
17+
5. Set any other credentials that will need to be set
18+
6. Do: `run`
19+
20+
## Scenarios
21+
22+
A run against the configuration from these docs
23+
24+
```
25+
msf > use auxiliary/scanner/rservices/rlogin_login
26+
msf auxiliary(rlogin_login) > set rhosts 10.1.2.3
27+
rhosts => 10.1.2.3
28+
msf auxiliary(rlogin_login) > set password test
29+
password => test
30+
msf auxiliary(rlogin_login) > set username test
31+
username => test
32+
msf auxiliary(rlogin_login) > run
33+
34+
[*] 10.1.2.3:513 - 10.1.2.3:513 - Starting rlogin sweep
35+
[*] 10.1.2.3:513 - 10.1.2.3:513 - Attempting: 'test':"test" from 'root'
36+
[*] 10.1.2.3:513 - 10.1.2.3:513 - Prompt: Password:
37+
[*] 10.1.2.3:513 - 10.1.2.3:513 - Result: The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
38+
[+] 10.1.2.3:513 - 10.1.2.3:513, rlogin 'test' successful with password "test"
39+
[!] 10.1.2.3:513 - *** auxiliary/scanner/rservices/rlogin_login is still calling the deprecated report_auth_info method! This needs to be updated!
40+
[!] 10.1.2.3:513 - *** For detailed information about LoginScanners and the Credentials objects see:
41+
[!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
42+
[!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
43+
[!] 10.1.2.3:513 - *** For examples of modules converted to just report credentials without report_auth_info, see:
44+
[!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/pull/5376
45+
[!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/pull/5377
46+
[*] Command shell session 1 opened (10.1.2.3:1023 -> 10.1.2.3:513) at 2017-05-11 20:04:24 -0400
47+
[*] Scanned 1 of 1 hosts (100% complete)
48+
[*] Auxiliary module execution completed
49+
```
50+
51+
## Confirming using NMAP
52+
53+
Utilizing [rlogin-brute](https://nmap.org/nsedoc/scripts/rlogin-brute.html)
54+
55+
```
56+
nmap -p 513 --script rlogin-brute 10.1.2.3
57+
58+
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-11 20:07 EDT
59+
Nmap scan report for test (10.1.2.3)
60+
Host is up (0.000039s latency).
61+
PORT STATE SERVICE
62+
513/tcp open login
63+
| rlogin-brute:
64+
| Accounts: No valid accounts found
65+
|_ Statistics: Performed 6662201 guesses in 609 seconds, average tps: 10491.0
66+
67+
Nmap done: 1 IP address (1 host up) scanned in 608.75 seconds
68+
```

documentation/modules/auxiliary/scanner/rservices/rsh_login.md

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
## Vulnerable Application
2+
3+
The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s.
4+
These services are all but unused in modern computing, as they have been replace by telnet and ssh.
5+
6+
`rsh` relies on host names as a security mechanism. Utilizing `+` can wildcard so any computer can connect. In the following
7+
config, we'll utilize that wildcarded setting to simplify our exploitation. **This is a glaring security issue!!!**
8+
However, there are exceptions to this in proprietary Unix systems which may include other mechanisms such as Kerberos
9+
([AIX](https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.cmds4/rsh.htm))
10+
11+
If you encounter `Host address mismatch for `..., you may need to adjust your `/etc/hosts` file accordingly.
12+
13+
The following was done on Kali linux:
14+
15+
1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`.
16+
2. ```echo "+" > ~/.rhosts```
17+
3. Start the service: `service openbsd-inetd start`
18+
19+
## Verification Steps
20+
21+
1. Install and configure rexec
22+
2. Start msfconsole
23+
3. Do: `use auxiliary/scanner/rservices/rsh_login`
24+
4. Do: `set rhosts`
25+
5. Set any other credentials that will need to be set
26+
6. Do: `run`
27+
28+
## Scenarios
29+
30+
A run against the configuration from these docs
31+
32+
```
33+
msf > use auxiliary/scanner/rservices/rsh_login
34+
msf auxiliary(rsh_login) > set rhosts 10.1.2.3
35+
rhosts => 10.1.2.3
36+
msf auxiliary(rsh_login) > set username root
37+
username => root
38+
msf auxiliary(rsh_login) > run
39+
40+
[*] 10.1.2.3:514 - 10.1.2.3:514 - Starting rsh sweep
41+
[*] 10.1.2.3:514 - 10.1.2.3:514 - Attempting rsh with username 'root' from 'root'
42+
[+] 10.1.2.3:514 - 10.1.2.3:514, rsh 'root' from 'root' with no password.
43+
[!] 10.1.2.3:514 - *** auxiliary/scanner/rservices/rsh_login is still calling the deprecated report_auth_info method! This needs to be updated!
44+
[!] 10.1.2.3:514 - *** For detailed information about LoginScanners and the Credentials objects see:
45+
[!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
46+
[!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
47+
[!] 10.1.2.3:514 - *** For examples of modules converted to just report credentials without report_auth_info, see:
48+
[!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/pull/5376
49+
[!] 10.1.2.3:514 - https://github.com/rapid7/metasploit-framework/pull/5377
50+
[*] Command shell session 1 opened (10.1.2.3:1023 -> 10.1.2.3:514) at 2017-05-11 19:56:46 -0400
51+
[*] Scanned 1 of 1 hosts (100% complete)
52+
[*] Auxiliary module execution completed
53+
```
54+
55+
## Confirming
56+
57+
At the time of writing this, there was no `nmap` script equivalent. Most modern systems have also replaced `rsh` with `ssh`.

0 commit comments

Comments
 (0)