Skip to content

Register VulnAttempts for both Exploit and Auxiliary modules #20263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Register VulnAttempts for both Exploit and Auxiliary modules #20263

wants to merge 1 commit into from

Conversation

cdelafuente-r7
Copy link
Contributor

In continuation to the ExploitAttempt PR, this one enables auxiliary modules to properly register as a VulnAttempt. Due to the nature of auxiliary modules, it is not guaranteed the module properly reports a failure or a success. In fact, most of the auxiliary modules don’t call fail_with, but just return nil. Also, scanner/gather modules that get no results also won’t report this attempt as a failure. For all of these reasons, the resulting VulnAttempt for auxiliary modules will have a fail_reason with the value none when the actual result is unknown.

Verification

Register a vulnerability using an exploit and an auxiliary modules

This will require a Windows target and admin credentials.

  • Start msfconsole
  • create a new workspace: workspace -a vuln_attempt_test
  • Make sure no vulnerabilities and no hosts are registered with vulns and hosts commands
  • use exploit/windows/smb/psexec
  • run verbose=true rhosts=<remote host> smbuser=<username> smbpass=<password>
  • Make sure you get a session
  • Back to the console, verify a vulnerability and host are registered with vulns and hosts commands
  • Enter Pry with the pry command
  • Get the vulnerability ID with this command: Mdm::Host.where(workspace: Mdm::Workspace.where(name: 'vuln_attempt_test').first).first.vulns.first.id
  • Check the vuln attempts querying the Mdm::VulnAttempt data model with this command: Mdm::VulnAttempt.where(vuln_id: <vuln ID>)
  • Verify the vuln attempt is correctly registered
  • Repeat with a failing attempt (e.g. wrong password or wrong IP address) and verify the failed vuln attempt is also registered.
  • Repeat with an auxiliary module that is related to the same vulnerability (use auxiliary/admin/smb/psexec_ntdsgrab).
  • Verify the vuln attempts are correctly registered

Scenarios

msf6 > workspace -a vuln_attempt_test
[*] Added workspace: vuln_attempt_test
[*] Workspace: vuln_attempt_test
msf6 > vulns

Vulnerabilities
===============

Timestamp  Host  Name  References
---------  ----  ----  ----------

msf6 > hosts

Hosts
=====

address  mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------  ---  ----  -------  ---------  -----  -------  ----  --------

msf6 > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > run verbose=true rhosts=10.210.23.21 smbuser=msfuser smbpass=msfuser
[*] 10.210.23.21:445 - Connecting to the server...
[*] 10.210.23.21:445 - Authenticating to 10.210.23.21:445 as user 'msfuser'...
[*] 10.210.23.21:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 10.210.23.21:445 - PowerShell found
[*] 10.210.23.21:445 - Selecting PowerShell target
[*] 10.210.23.21:445 - Powershell command length: 4279
[*] 10.210.23.21:445 - Executing the payload...
[*] 10.210.23.21:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.210.23.21[\svcctl] ...
[*] 10.210.23.21:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.210.23.21[\svcctl] ...
[*] 10.210.23.21:445 - Obtaining a service manager handle...
[*] 10.210.23.21:445 - Creating the service...
[+] 10.210.23.21:445 - Successfully created the service
[*] 10.210.23.21:445 - Starting the service...
[+] 10.210.23.21:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.210.23.21:445 - Removing the service...
[+] 10.210.23.21:445 - Successfully removed the service
[*] 10.210.23.21:445 - Closing service handle...
[*] Started bind TCP handler against 10.210.23.21:4444
[*] Sending stage (177734 bytes) to 10.210.23.21
[*] Meterpreter session 1 opened (192.168.144.3:43871 -> 10.210.23.21:4444) at 2025-05-28 19:06:37 +0200

meterpreter > [*] Shutting down session: 1

[*] 10.210.23.21 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(windows/smb/psexec) > vulns

Vulnerabilities
===============

Timestamp                Host          Name                                                 References
---------                ----          ----                                                 ----------
2025-05-28 17:06:37 UTC  10.210.23.21  Microsoft Windows Authenticated User Code Execution  CVE-1999-0504,OSVDB-3106,URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx,URL-https://www.optiv.com/blog/owning-computers-without-shell-access,URL-http://sourcef
                                                                                            orge.net/projects/smbexec/

msf6 exploit(windows/smb/psexec) > hosts

Hosts
=====

address       mac  name            os_name       os_flavor  os_sp  purpose  info  comments
-------       ---  ----            -------       ---------  -----  -------  ----  --------
10.210.23.21       msfuser-2008R2  Windows 2008             SP1    server

msf6 exploit(windows/smb/psexec) > pry
[*] Starting Pry shell...
[*] You are in the "exploit/windows/smb/psexec" module object

...[SNIP]...

[1] pry(#<Msf::Ui::Console::CommandDispatcher::Developer>)> Mdm::Host.where(workspace: Mdm::Workspace.where(name: 'vuln_attempt_test').first).first.vulns.first.id
=> 20
[2] pry(#<Msf::Ui::Console::CommandDispatcher::Developer>)> Mdm::VulnAttempt.where(vuln_id: 20)
=> [#<Mdm::VulnAttempt:0x0000726bae6f1198 id: 41, vuln_id: 20, attempted_at: 2025-05-28 17:06:37.162081 UTC, exploited: true, fail_reason: nil, username: "n00tmeg", module: "exploit/windows/smb/psexec", session_id: 36, loot_id: nil, fail_detail: nil>]
[3] pry(#<Msf::Ui::Console::CommandDispatcher::Developer>)>
msf6 exploit(windows/smb/psexec) > run verbose=true rhosts=10.210.23.21 smbuser=msfuser smbpass=wrong
[*] 10.210.23.21:445 - Connecting to the server...
[*] 10.210.23.21:445 - Authenticating to 10.210.23.21:445 as user 'msfuser'...
[-] 10.210.23.21:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/psexec) > pry
[*] Starting Pry shell...
[*] You are in the "exploit/windows/smb/psexec" module object

...[SNIP]...

[1] pry(#<Msf::Ui::Console::CommandDispatcher::Developer>)> Mdm::VulnAttempt.where(vuln_id: 20)
=> [#<Mdm::VulnAttempt:0x0000726bae731040 id: 41, vuln_id: 20, attempted_at: 2025-05-28 17:06:37.162081 UTC, exploited: true, fail_reason: nil, username: "n00tmeg", module: "exploit/windows/smb/psexec", session_id: 36, loot_id: nil, fail_detail: nil>,
 #<Mdm::VulnAttempt:0x0000726bae730280
  id: 42,
  vuln_id: 20,
  attempted_at: 2025-05-28 17:07:07.516117 UTC,
  exploited: false,
  fail_reason: "no-access",
  username: "n00tmeg",
  module: "exploit/windows/smb/psexec",
  session_id: nil,
  loot_id: nil,
  fail_detail: "Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.">]
[2] pry(#<Msf::Ui::Console::CommandDispatcher::Developer>)>
msf6 exploit(windows/smb/psexec) >
msf6 exploit(windows/smb/psexec) >
msf6 exploit(windows/smb/psexec) > use auxiliary/admin/smb/psexec_ntdsgrab
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(admin/smb/psexec_ntdsgrab) > run verbose=true rhosts=10.210.23.21 smbuser=msfuser smbpass=wrong
[*] Running module against 10.210.23.21
[-] 10.210.23.21:445 - Unable to authenticate with given credentials: Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/smb/psexec_ntdsgrab) > pry
[*] Starting Pry shell...
[*] You are in the "auxiliary/admin/smb/psexec_ntdsgrab" module object

...[SNIP]...

[1] pry(#<Msf::Ui::Console::CommandDispatcher::Developer>)> Mdm::VulnAttempt.where(vuln_id: 20)
=> [#<Mdm::VulnAttempt:0x0000726bae731f40 id: 41, vuln_id: 20, attempted_at: 2025-05-28 17:06:37.162081 UTC, exploited: true, fail_reason: nil, username: "n00tmeg", module: "exploit/windows/smb/psexec", session_id: 36, loot_id: nil, fail_detail: nil>,
 #<Mdm::VulnAttempt:0x0000726bae731cc0
  id: 42,
  vuln_id: 20,
  attempted_at: 2025-05-28 17:07:07.516117 UTC,
  exploited: false,
  fail_reason: "no-access",
  username: "n00tmeg",
  module: "exploit/windows/smb/psexec",
  session_id: nil,
  loot_id: nil,
  fail_detail: "Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.">,
 #<Mdm::VulnAttempt:0x0000726bae731a40 id: 43, vuln_id: 20, attempted_at: 2025-05-28 17:08:26.621116 UTC, exploited: false, fail_reason: "none", username: "n00tmeg", module: "auxiliary/admin/smb/psexec_ntdsgrab", session_id: nil, loot_id: nil, fail_detail: nil>]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cdelafuente-r7