Land rapid7#3683, cucumber tests for msfconsole

egypt · egypt · commit 99c9d5a57809 · 2014-09-09T21:28:45.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -13,6 +13,8 @@ Gemfile.local.lock
 .DS_Store
 # database config for testing
 config/database.yml
+# target config file for testing
+features/support/targets.yml
 # simplecov coverage data
 coverage
 doc/
@@ -50,6 +52,8 @@ tags
 
 # Rails log directory
 /log
+# Rails tmp directory
+/tmp
 
 # ignore release/debug folders for exploits
 external/source/exploits/**/Debug
diff --git a/.travis.yml b/.travis.yml
@@ -1,6 +1,8 @@
 env:
   - RAKE_TASK=cucumber
+  - RAKE_TASK=cucumber:boot
   - RAKE_TASK=spec
+
 language: ruby
 before_install:
   - rake --version
diff --git a/Gemfile b/Gemfile
@@ -38,7 +38,7 @@ group :development, :test do
   gem 'rspec', '>= 2.12', '< 3.0.0'
   # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
   # environment is development
-  gem 'rspec-rails' , '>= 2.12', '< 3.0.0'
+  gem 'rspec-rails' , '>= 2.12', '< 3.0.0' 
 end
 
 group :pcap do
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -21,6 +21,9 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
+    actionmailer (3.2.19)
+      actionpack (= 3.2.19)
+      mail (~> 2.5.4)
     actionpack (3.2.19)
       activemodel (= 3.2.19)
       activesupport (= 3.2.19)
@@ -39,6 +42,9 @@ GEM
       activesupport (= 3.2.19)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
+    activeresource (3.2.19)
+      activemodel (= 3.2.19)
+      activesupport (= 3.2.19)
     activesupport (3.2.19)
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
@@ -65,10 +71,11 @@ GEM
       diff-lcs (>= 1.1.3)
       gherkin (~> 2.11.0)
       json (>= 1.4.6)
-    cucumber-rails (1.3.0)
+    cucumber-rails (1.4.0)
       capybara (>= 1.1.2)
-      cucumber (>= 1.1.8)
+      cucumber (>= 1.2.0)
       nokogiri (>= 1.5.0)
+      rails (>= 3.0.0)
     diff-lcs (1.2.5)
     erubis (2.7.0)
     factory_girl (4.4.0)
@@ -84,6 +91,9 @@ GEM
     i18n (0.6.11)
     journey (1.0.4)
     json (1.8.1)
+    mail (2.5.4)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
     metasploit-concern (0.1.1)
       activesupport (~> 3.0, >= 3.0.0)
     metasploit-credential (0.9.0)
@@ -104,16 +114,17 @@ GEM
       pg
     meterpreter_bins (0.0.7)
     method_source (0.8.2)
-    mime-types (2.3)
+    mime-types (1.25.1)
     mini_portile (0.6.0)
     msgpack (0.5.8)
-    multi_json (1.0.4)
+    multi_json (1.0.3)
     network_interface (0.0.1)
     nokogiri (1.6.3.1)
       mini_portile (= 0.6.0)
     packetfu (1.1.9)
     pcaprub (0.11.3)
     pg (0.17.1)
+    polyglot (0.3.5)
     pry (0.10.0)
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
@@ -125,6 +136,14 @@ GEM
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
+    rails (3.2.19)
+      actionmailer (= 3.2.19)
+      actionpack (= 3.2.19)
+      activerecord (= 3.2.19)
+      activeresource (= 3.2.19)
+      activesupport (= 3.2.19)
+      bundler (~> 1.0)
+      railties (= 3.2.19)
     railties (3.2.19)
       actionpack (= 3.2.19)
       activesupport (= 3.2.19)
@@ -174,7 +193,10 @@ GEM
     thor (0.19.1)
     tilt (1.4.1)
     timecop (0.7.1)
-    tzinfo (0.3.40)
+    treetop (1.4.15)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.41)
     xpath (2.0.0)
       nokogiri (~> 1.3)
     yard (0.8.7.4)
diff --git a/Rakefile b/Rakefile
diff --git a/config/cucumber.yml b/config/cucumber.yml
@@ -2,7 +2,9 @@
 rerun = File.file?('rerun.txt') ? IO.read('rerun.txt') : ""
 rerun_opts = rerun.to_s.strip.empty? ? "--format #{ENV['CUCUMBER_FORMAT'] || 'progress'} features" : "--format #{ENV['CUCUMBER_FORMAT'] || 'pretty'} #{rerun}"
 std_opts = "--format #{ENV['CUCUMBER_FORMAT'] || 'pretty'} --strict --tags ~@wip"
+ignored_tags = "--tags ~@boot --tags ~@targets"
 %>
-default: <%= std_opts %> features
+default: <%= std_opts %> <%= ignored_tags %> features
+boot: <%= std_opts %> --tags @boot features
 wip: --tags @wip:3 --wip features
 rerun: <%= rerun_opts %> --format rerun --out rerun.txt --strict --tags ~@wip
diff --git a/features/commands/help.feature b/features/commands/help.feature
@@ -0,0 +1,78 @@
+Feature: Help command
+  
+  Background:
+    Given I run `msfconsole` interactively
+    And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
+    
+  Scenario: The 'help' command's output
+    When I type "help"
+    And I type "exit"
+    Then the output should contain:
+      """
+      Core Commands
+      =============
+
+          Command       Description
+          -------       -----------
+          ?             Help menu
+          back          Move back from the current context
+          banner        Display an awesome metasploit banner
+          cd            Change the current working directory
+          color         Toggle color
+          connect       Communicate with a host
+          edit          Edit the current module with $VISUAL or $EDITOR
+          exit          Exit the console
+          go_pro        Launch Metasploit web GUI
+          grep          Grep the output of another command
+          help          Help menu
+          info          Displays information about one or more module
+          irb           Drop into irb scripting mode
+          jobs          Displays and manages jobs
+          kill          Kill a job
+          load          Load a framework plugin
+          loadpath      Searches for and loads modules from a path
+          makerc        Save commands entered since start to a file
+          popm          Pops the latest module off the stack and makes it active
+          previous      Sets the previously loaded module as the current module
+          pushm         Pushes the active or list of modules onto the module stack
+          quit          Exit the console
+          reload_all    Reloads all modules from all defined module paths
+          resource      Run the commands stored in a file
+          route         Route traffic through a session
+          save          Saves the active datastores
+          search        Searches module names and descriptions
+          sessions      Dump session listings and display information about sessions
+          set           Sets a variable to a value
+          setg          Sets a global variable to a value
+          show          Displays modules of a given type, or all modules
+          sleep         Do nothing for the specified number of seconds
+          spool         Write console output into a file as well the screen
+          threads       View and manipulate background threads
+          unload        Unload a framework plugin
+          unset         Unsets one or more variables
+          unsetg        Unsets one or more global variables
+          use           Selects a module by name
+          version       Show the framework and console library version numbers
+
+
+      Database Backend Commands
+      =========================
+
+          Command           Description
+          -------           -----------
+          creds             List all credentials in the database
+          db_connect        Connect to an existing database
+          db_disconnect     Disconnect from the current database instance
+          db_export         Export a file containing the contents of the database
+          db_import         Import a scan result file (filetype will be auto-detected)
+          db_nmap           Executes nmap and records the output automatically
+          db_rebuild_cache  Rebuilds the database-stored module cache
+          db_status         Show the current database status
+          hosts             List all hosts in the database
+          loot              List all loot in the database
+          notes             List all notes in the database
+          services          List all services in the database
+          vulns             List all vulnerabilities in the database
+          workspace         Switch between database workspaces
+      """
+  
diff --git a/features/modules/exploit/smb/ms08_067_netapi.feature b/features/modules/exploit/smb/ms08_067_netapi.feature
@@ -0,0 +1,105 @@
+Feature: MS08-067 netapi
+
+  Background:
+    Given I run `msfconsole` interactively
+    And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
+    
+  Scenario: The MS08-067 Module should have the following options
+    When I type "use exploit/windows/smb/ms08_067_netapi"
+    And I type "show options"
+    And I type "exit"
+    Then the output should contain the following:
+    | Module options (exploit/windows/smb/ms08_067_netapi)         |
+    | Name     Current Setting  Required  Description              |
+    | ----     ---------------  --------  -----------              |
+    | RHOST                     yes       The target address       |
+    | RPORT    445              yes       Set the SMB service port |
+    | RPORT    445              yes       Set the SMB service port |
+
+  Scenario: The MS08-067 Module should have the following advanced options
+    When I type "use exploit/windows/smb/ms08_067_netapi"
+    And I type "show advanced"
+    And I type "exit"
+    Then the output should contain the following:
+ | Name           : CHOST                                                           |
+ | Description    : The local client address                                        |
+ | Name           : CPORT                                                           |
+ | Description    : The local client port                                           |
+ | Name           : ConnectTimeout                                                  |
+ | Description    : Maximum number of seconds to establish a TCP connection         |
+ | Name           : ContextInformationFile                                          |
+ | Description    : The information file that contains context information          |
+ | Name           : DCERPC::ReadTimeout                                             |
+ | Description    : The number of seconds to wait for DCERPC responses              |
+ | Name           : DisablePayloadHandler                                           |
+ | Description    : Disable the handler code for the selected payload               |
+ | Name           : EnableContextEncoding                                           |
+ | Description    : Use transient context when encoding payloads                    |
+ | Name           : NTLM::SendLM                                                    |
+ | Description    : Always send the LANMAN response (except when NTLMv2_session is  |
+ | specified)                                                                       |
+ | Name           : NTLM::SendNTLM                                                  |
+ | Description    : Activate the 'Negotiate NTLM key' flag, indicating the use of   |
+ | NTLM responses                                                                   |
+ | Name           : NTLM::SendSPN                                                   |
+ | Current Setting: true                                                            |
+ | Description    : Send an avp of type SPN in the ntlmv2 client Blob, this allow   |
+ | authentification on windows Seven/2008r2 when SPN is required                    |
+ | Name           : NTLM::UseLMKey                                                  |
+ | Description    : Activate the 'Negotiate Lan Manager Key' flag, using the LM key |
+ | when the LM response is sent                                                     |
+ | Name           : NTLM::UseNTLM2_session                                          |
+ | Description    : Activate the 'Negotiate NTLM2 key' flag, forcing the use of a   |
+ | NTLMv2_session                                                                   |
+ | Name           : NTLM::UseNTLMv2                                                 |
+ | Description    : Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key  |
+ | is true                                                                          |
+ # | Name           : Proxies                                                         |
+ # | Description    : Use a proxy chain                                               |
+ | Name           : SMB::ChunkSize                                                  |
+ | Current Setting: 500                                                             |
+ | Description    : The chunk size for SMB segments, bigger values will increase    |
+ | speed but break NT 4.0 and SMB signing                                           |
+ | Name           : SMB::Native_LM                                                  |
+ | Description    : The Native LM to send during authentication                     |
+ | Name           : SMB::Native_OS                                                  |
+ | Description    : The Native OS to send during authentication                     |
+ | Name           : SMB::VerifySignature                                            |
+ | Description    : Enforces client-side verification of server response signatures |
+ | Name           : SMBDirect                                                       |
+ | Description    : The target port is a raw SMB service (not NetBIOS)              |
+ | Name           : SMBDomain                                                       |
+ | Description    : The Windows domain to use for authentication                    |
+ | Name           : SMBName                                                         |
+ | Description    : The NetBIOS hostname (required for port 139 connections)        |
+ | Name           : SMBPass                                                         |
+ | Description    : The password for the specified username                         |
+ | Name           : SMBUser                                                         |
+ | Description    : The username to authenticate as                                 |
+ | Name           : SSL                                                             |
+ | Description    : Negotiate SSL for outgoing connections                          |
+ | Name           : SSLCipher                                                       |
+ | Description    : String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"           |
+ | Name           : SSLVerifyMode                                                   |
+ | Description    : SSL verification method (accepted: CLIENT_ONCE,                 |
+ | FAIL_IF_NO_PEER_CERT, NONE, PEER)                                                |
+ | Name           : SSLVersion                                                      |
+ | Description    : Specify the version of SSL that should be used (accepted: SSL2, |
+ | SSL3, TLS1)                                                                      |
+ | Name           : VERBOSE                                                         |
+ | Description    : Enable detailed status messages                                 |
+ | Name           : WORKSPACE                                                       |
+ | Description    : Specify the workspace for this module                           |
+ | Name           : WfsDelay                                                        |
+ | Description    : Additional delay when waiting for a session                     |
+
+  @targets
+  Scenario: Show RHOST/etc variable expansion from a config file
+    When I type "use exploit/windows/smb/ms08_067_netapi"
+    When RHOST is WINDOWS
+    And I type "set PAYLOAD windows/meterpreter/bind_tcp"
+    And I type "show options"
+    And I type "run"
+    And I type "exit"
+    And I type "exit"
+    Then the output should match /spider-wxp/
diff --git a/features/msfconsole/database_yml.feature b/features/msfconsole/database_yml.feature
@@ -1,3 +1,4 @@
+@boot
 Feature: `msfconsole` `database.yml`
 
   In order to connect to the database in `msfconsole`
@@ -156,3 +157,11 @@ Feature: `msfconsole` `database.yml`
     And the output should not contain "user_metasploit_framework_test"
     And the output should not contain "project_metasploit_framework_test"
     And the output should contain "[*] postgresql selected, no connection"
+    
+  Scenario: Starting `msfconsole` with a valid database.yml
+    Given I run `msfconsole` interactively
+    And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
+    When I type "db_status"
+    And I type "exit"
+    Then the output should contain "[*] postgresql connected to metasploit_framework_test"
+  
diff --git a/features/step_definitions/console_output.rb b/features/step_definitions/console_output.rb
@@ -0,0 +1,5 @@
+Then /^the output should contain the following:$/ do |table|
+  table.raw.flatten.each do |expected|
+    assert_partial_output(expected, all_output)
+  end
+end
diff --git a/features/step_definitions/environment_variables.rb b/features/step_definitions/environment_variables.rb
diff --git a/features/step_definitions/msfconsole.rb b/features/step_definitions/msfconsole.rb
diff --git a/features/step_definitions/targets.rb b/features/step_definitions/targets.rb
@@ -0,0 +1,10 @@
+When /^targets are loaded$/ do
+  config_file = File.expand_path('features/support/targets.yml')
+  fail "Target config file #{config_file} does not exist" unless File.exists?(config_file)
+  @target_config = YAML.load_file(config_file)
+end
+
+When /^(RHOSTS?) (?:are|is) (\S+)$/ do |type, target_type|
+  fail "No target type #{target_type}" unless @target_config.key?(target_type)
+  step "I type \"set #{type} #{@target_config[target_type]}\""
+end
diff --git a/features/support/hooks.rb b/features/support/hooks.rb
@@ -1,4 +1,5 @@
 Before do
+  set_env('MSF_DATBASE_CONFIG', Rails.configuration.paths['config/database'].existent.first)
   set_env('RAILS_ENV', 'test')
   @aruba_timeout_seconds = 3.minutes
 end
diff --git a/features/support/targets.yml.example b/features/support/targets.yml.example
@@ -0,0 +1,2 @@
+WINDOWS: spider-wxp.vuln.lax.rapid7.com
+LINUX: spider-ubuntu.vuln.lax.rapid7.com
diff --git a/lib/tasks/custom_cucumber.rake b/lib/tasks/custom_cucumber.rake
@@ -0,0 +1,19 @@
+unless ARGV.any? {|a| a =~ /^gems/} # Don't load anything when running the gems:* tasks
+
+vendored_cucumber_bin = Dir["#{Rails.root}/vendor/{gems,plugins}/cucumber*/bin/cucumber"].first
+$LOAD_PATH.unshift(File.dirname(vendored_cucumber_bin) + '/../lib') unless vendored_cucumber_bin.nil?
+
+begin
+  require 'cucumber/rake/task'
+
+  namespace :cucumber do
+    Cucumber::Rake::Task.new({:boot => 'db:test:prepare'}, 'Run features that should pass') do |t|
+      t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
+      t.fork = true # You may get faster startup if you set this to false
+      t.profile = 'boot'
+    end
+  end
+  
+end
+
+end
