Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protocol detection #20

Open
hazcod opened this issue Mar 5, 2019 · 9 comments
Open

Protocol detection #20

hazcod opened this issue Mar 5, 2019 · 9 comments
Assignees
@stevenaldinger
Labels
enhancement New feature or request

Comments

@hazcod
Copy link

hazcod commented Mar 5, 2019

Hi,

First if all, thanks for the project! I really like the idea.
The README mentions following example:

variable "target_host" {
  type = "string"
}
resource "nslookup" "nslookup" {
  dns_server = "8.8.4.4"
  host = "${var.target_host}"
}
resource "nmap" "nmap" {
  for_each = "${nslookup.ip_address}"
  host = "${each.key}"
}
// for each IP, check if nmap found port 25 open.
// if yes, run metasploit's smtp_enum scanner
resource "metasploit" "metasploit" {
  for_each = "${nslookup.ip_address}"
  exploit = "auxiliary/scanner/smtp/smtp_enum"
  options = {
    RHOSTS = "${each.key}"
  }
  plugin_enabled = "${nmap["${each.key}"].25 == "open"}"
}

However, most of the time you will need to detect the protocol and not rely on standard ports.
Is it currently possible to do so? e.g. launch a TLS scan for every port where (START)TLS was detected?
@stevenaldinger
Copy link
Owner

Thanks for checking it out! I really appreciate the feedback here too.

The examples are limited to my personal knowledge of tools right now but I'd be happy to add in that functionality. Is TLS detection something metasploit can do or do you have a tool you can refer me to? I'd love to write a plugin and add an example for that as early as this weekend if you can recommend a tool.

@stevenaldinger
Copy link
Owner

Are you familiar with this tool? It looks like it would accomplish what you're suggesting for SSL specifically.

Thanks again for your input, I'll add support for this to decker soon. Let me know if you know of other tools you'd recommend.

https://github.com/drwetter/testssl.sh

@hazcod
Copy link
Author

hazcod commented Mar 5, 2019
edited

nmap (which is already a plugin) could be used to do protocol detection.
e.g. nmap -O

@stevenaldinger
Copy link
Owner

You're absolutely right, thanks for the guidance!
Right now the nmap plugin is really basic and does not support passing in flags. I'll resolve this ASAP, it should be a quick update.

@stevenaldinger
Copy link
Owner

stevenaldinger commented Mar 12, 2019
edited

Just wanted you to know I started working on this, ran into an issue with a library the nmap plugin was using so it's taking a little longer than expected just to avoid making a mess. Thanks again for the feedback/suggestion.

You can expect something like this to be available soon:

variable "target_host" {
  type = "string"
}

resource "nmap" "nmap" {
  host = "${var.target_host}"
  type = "protocol_detection"
}

resource "metasploit" "metasploit" {
  for_each = "${nmap.port}"
  exploit = "auxiliary/scanner/ssh/ssh_login"
  options = {
    RHOSTS = "${var.target_host}"
    RPORT = "${each.key}"
    USERPASS_FILE = "/usr/share/metasploit-framework/data/wordlists/root_userpass.txt"
  }
  plugin_enabled = "${nmap["${each.key}"].protocol == "ssh"}"
}

@stevenaldinger stevenaldinger added the enhancement New feature or request label Mar 12, 2019
@stevenaldinger stevenaldinger self-assigned this Mar 12, 2019
@stevenaldinger
Copy link
Owner

stevenaldinger commented Mar 23, 2019
edited

I wasn't sure if I'd have time to finish this this weekend so pushed up a separate plugin specifically for this purpose. It's pretty rough but will be refactored soon and merged with the existing nmap plugin. It also works a bit differently than I mentioned earlier for now and is dangerous, it'll likely panic if you tell it to run on all ssh ports and none are found. (that'll be fixed soon too)

In the mean time there's an example config file here.

It'll look like this (make sure the plugin is nmap_protocol_detection and not just nmap) and will run on every port it discovers is ssh:

resource "nmap_protocol_detection" "nmap" {
  host = "${var.target_host}"
  type = "protocol_detection"
}

resource "metasploit" "metasploit" {
  for_each = "${nmap.ssh}"
  exploit = "auxiliary/scanner/ssh/ssh_login"
  options = {
    RHOSTS = "${var.target_host}"
    RPORT = "${each.key}"
    USERPASS_FILE = "/usr/share/metasploit-framework/data/wordlists/root_userpass.txt"
}

You can run the example with ./decker ./examples/nmap-protocols.hcl

@acarnage
Copy link

Dumb question here : If an host has 2 ssh services running, let's say 22 and 2222. Will the foreach loop process each port ?

@stevenaldinger
Copy link
Owner

stevenaldinger commented Mar 27, 2019
edited

Thats correct, in that case both ports would be processed. nmap.ssh ends up being a list of ports open with that service detected and the for each grabs one at a time from the list and substitutes it into "${each.key}".

nmap.ssh = ["22", "2222"]

@acarnage
Copy link

Hey !
I'm trying to build a first plugin basically launching "dirb" against an URL.
I wonder how i can write the hcl code in order to target 2 urls. My following attempts fail with "index out of range"

resource "dirb" "dirb" { for_each = ["https://www.google.fr","https://www.google.com"] target="${each.key}" }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stevenaldinger stevenaldinger

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hazcod @acarnage @stevenaldinger