metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Psnuffle's POP3 sniffer does not extract banner information

Open errorxyz opened this issue 1 year ago • 1 comments

Steps to reproduce

  1. setup pop3 server using docker: docker run -d -it -p 1110:110 esminis/mail-server-postfix-vm-pop3d
  2. In metasploit: use psnuffle
  3. set interface docker0
  4. set protocols pop3
  5. run
  6. Connect to pop3 server in a new terminal: telnet 127.0.0.1 1110
  7. USER test
  8. PASS test

Output:

msf6 auxiliary(sniffer/psnuffle) > run
[*] Auxiliary module running as background job 4.
msf6 auxiliary(sniffer/psnuffle) > 
[*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
[*] Sniffing traffic.....
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://docs.metasploit.com/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html
[!]      https://docs.metasploit.com/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[-] Auxiliary failed: NoMethodError undefined method `strip' for nil:NilClass
[-] Call stack:
[-]   (eval):76:in `block in parse'
[-]   (eval):25:in `each_key'
[-]   (eval):25:in `parse'
[-]   /usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:89:in `block (2 levels) in run'
[-]   /usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:88:in `each_key'
[-]   /usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:88:in `block in run'
[-]   /usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:171:in `block in each_packet'
[-]   /usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:170:in `each'
[-]   /usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:170:in `each_packet'
[-]   /usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:83:in `run'

Were you following a specific guide/tutorial or reading documentation?

No

Expected behavior

Psnuffle should successfully sniff the passwords and print the information along with the banner

Current behavior

Psnuffle tries to do s[:banner].strip(here) without first setting s[:banner] which is nil resulting in the error (NoMethodError undefined method `strip' for nil:NilClass)

Metasploit version

Framework: 6.3.46-dev Console : 6.3.46-dev

Additional Information

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse 
[framework/core]
loglevel=3

[framework/database/local_db_service]
url=[Filtered]

[framework/ui/console]
ActiveModule=auxiliary/sniffer/psnuffle

[sniffer/psnuffle]
INTERFACE=docker0
PROTOCOLS=pop3
WORKSPACE=
VERBOSE=false
PCAPFILE=
FILTER=
SNAPLEN=65535
TIMEOUT=500
SECRET=1297303073
GATEWAY_PROBE_HOST=8.8.8.8
GATEWAY_PROBE_PORT=
ProtocolBase=/usr/share/metasploit-framework/data/exploits/psnuffle

Database Configuration

The database contains the following information:

Collapse 
Session Type: Connected to msf. Connection type: postgresql.
ID Hosts Vulnerabilities Notes Services
1 (Current) 4 0 0 9
2 1 0 0 1
Total (2) 5 0 0 10

History

The following commands were ran during the session and before this issue occurred:

Collapse 
708    set loglevel 3
709    use psnuffle
710    set interface docker0
711    set protocols pop3
712    run
713    debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse 
[12/16/2023 22:46:19] [e(0)] core: Module psnuffle not found, and no loading errors found. If you're using a custom module refer to our wiki: https://docs.metasploit.com/docs/using-metasploit/intermediate/running-private-modules.html
[12/16/2023 22:46:49] [e(0)] core: Auxiliary failed - NoMethodError undefined method `strip' for nil:NilClass
[12/16/2023 23:00:03] [e(0)] core: Auxiliary failed - NoMethodError undefined method `strip' for nil:NilClass
[12/16/2023 23:02:46] [e(0)] core: Auxiliary failed - NoMethodError undefined method `strip' for nil:NilClass
[12/16/2023 23:10:21] [e(0)] core: Auxiliary failed - NoMethodError undefined method `strip' for nil:NilClass
[12/16/2023 23:18:48] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2023 23:18:48] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2023 23:18:48] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2023 23:18:57] [e(0)] core: Module psnuffle not found, and no loading errors found. If you're using a custom module refer to our wiki: https://docs.metasploit.com/docs/using-metasploit/intermediate/running-private-modules.html
[12/16/2023 23:19:16] [e(0)] core: Auxiliary failed - NoMethodError undefined method `strip' for nil:NilClass
Call stack:
(eval):76:in `block in parse'
(eval):25:in `each_key'
(eval):25:in `parse'
/usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:89:in `block (2 levels) in run'
/usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:88:in `each_key'
/usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:88:in `block in run'
/usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:171:in `block in each_packet'
/usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:170:in `each'
/usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:170:in `each_packet'
/usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:83:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/auxiliary.rb:178:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/base/simple/auxiliary.rb:78:in `block in run_simple'
/usr/share/metasploit-framework/lib/rex/job.rb:49:in `block in start'
/usr/share/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
/usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse 
msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse 
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage osx/x86/vforkshell have incompatible platforms: ["Android"] - ["OSX"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage osx/x64/meterpreter have incompatible platforms: ["Android"] - ["OSX"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage osx/x64/dupandexecve have incompatible platforms: ["Android"] - ["OSX"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage java/meterpreter have incompatible platforms: ["Android"] - ["Java"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage java/shell have incompatible platforms: ["Android"] - ["Java"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage php/meterpreter have incompatible platforms: ["Android"] - ["PHP"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/armle/meterpreter have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/armle/shell have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/mipsbe/meterpreter have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/mipsbe/shell have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/aarch64/meterpreter have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/aarch64/shell have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/x86/meterpreter have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/x86/shell have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/mipsle/meterpreter have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/mipsle/shell have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/x64/meterpreter have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage linux/x64/shell have incompatible platforms: ["Android"] - ["Linux"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage multi/meterpreter have incompatible platforms: ["Android"] - ["Multi"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage bsdi/x86/shell have incompatible platforms: ["Android"] - ["BSDi"]
[12/16/2023 23:18:55] [d(2)] core: Stager android/reverse_https and stage bsd/x86/shell have incompatible platforms: ["Android"] - ["BSD"]
[12/16/2023 23:18:55] [d(3)] core: Checking compat [ with ]: javasocket to javaurl
[12/16/2023 23:18:55] [d(3)] core: Checking compat [ with ]: javaurl to javaurl
[12/16/2023 23:18:55] [d(1)] core: Module  is compatible with 
[12/16/2023 23:18:55] [d(3)] core: Checking compat [ with ]: javasocket to javaurl
[12/16/2023 23:18:55] [d(3)] core: Checking compat [ with ]: javaurl to javaurl
[12/16/2023 23:18:55] [d(1)] core: Module  is compatible with 
[12/16/2023 23:18:55] [d(2)] core: Built staged payload android/meterpreter/reverse_https.
[12/16/2023 23:18:55] [d(1)] core: Module  is compatible with 
[12/16/2023 23:18:55] [d(1)] core: Module  is compatible with 
[12/16/2023 23:18:55] [d(2)] core: Built staged payload android/shell/reverse_https.
[12/16/2023 23:18:57] [e(0)] core: Module psnuffle not found, and no loading errors found. If you're using a custom module refer to our wiki: https://docs.metasploit.com/docs/using-metasploit/intermediate/running-private-modules.html
[12/16/2023 23:18:57] [i(2)] core: Reloading auxiliary module sniffer/psnuffle. Ambiguous module warnings are safe to ignore
[12/16/2023 23:19:16] [e(0)] core: Auxiliary failed - NoMethodError undefined method `strip' for nil:NilClass
Call stack:
(eval):76:in `block in parse'
(eval):25:in `each_key'
(eval):25:in `parse'
/usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:89:in `block (2 levels) in run'
/usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:88:in `each_key'
/usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:88:in `block in run'
/usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:171:in `block in each_packet'
/usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:170:in `each'
/usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:170:in `each_packet'
/usr/share/metasploit-framework/modules/auxiliary/sniffer/psnuffle.rb:83:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/auxiliary.rb:178:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/base/simple/auxiliary.rb:78:in `block in run_simple'
/usr/share/metasploit-framework/lib/rex/job.rb:49:in `block in start'
/usr/share/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
/usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse 
msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse 
Framework: 6.3.46-dev
Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
OpenSSL: OpenSSL 3.0.8 7 Feb 2023
Install Root: /usr/share/metasploit-framework
Session Type: Connected to msf. Connection type: postgresql.
Install Method: Other - Please specify

errorxyz avatar Dec 16 '23 18:12 errorxyz

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] avatar Jan 16 '24 15:01 github-actions[bot]

  1. Flow of problem, I added a print_status("s: #{s}"): Outcome of connect:
msf6 auxiliary(sniffer/psnuffle) > [*] Sniffing traffic.....
[*] s: {:client_host=>"172.17.0.1", :client_port=>"40158", 
:host=>"172.17.0.2", :port=>"110", 
:session=>"172.17.0.1:40158-172.17.0.2:110", 
:ctime=>2024-04-05 19:03:31.052785515 +0300, 
:mtime=>2024-04-05 19:03:31.052786693 +0300}

Outcome of USER:

[*] s: {:client_host=>"172.17.0.1", :client_port=>"40158",
:host=>"172.17.0.2", :port=>"110", 
:session=>"172.17.0.1:40158-172.17.0.2:110", :ctime=>2024-04-05 19:03:31.052785515 +0300, 
:mtime=>2024-04-05 19:04:05.868451085 +0300, 
:info=>"+OK POP3 Welcome to vm-pop3d 1.1.6 <155.1712333010@0537eab172fa>\r", 
:proto=>"tcp", :name=>"pop3", :last=>:user, :user=>"A\r"}

Message of PASS:

[-] Auxiliary failed: NoMethodError undefined method `strip' for nil:NilClass
[-] Call stack:
[-]   (eval):95:in `block in parse'
[-]   (eval):25:in `each_key'
[-]   (eval):25:in `parse'
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/sniffer/psnuffle.rb:92:in `block (2 levels) in run'
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/sniffer/psnuffle.rb:91:in `each_key'
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/sniffer/psnuffle.rb:91:in `block in run'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/capture.rb:171:in `block in each_packet'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/capture.rb:170:in `each'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/capture.rb:170:in `each_packet'
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/sniffer/psnuffle.rb:87:in `run'
  1. Still happens in latest version
       =[ metasploit v6.4.1-dev-                          ]
+ -- --=[ 2405 exploits - 1239 auxiliary - 422 post       ]
+ -- --=[ 1465 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

^[[msf6 > use psnuffle

Matching Modules
================

   #  Name                        Disclosure Date  Rank    Check  Description
   -  ----                        ---------------  ----    -----  -----------
   0  auxiliary/sniffer/psnuffle  .                normal  No     pSnuffle Packet Sniffer
   1    \_ action: List           .                .       .      List protocols
   2    \_ action: Sniffer        .                .       .      Run sniffer


Interact with a module by name or index. For example info 2, use 2 or use auxiliary/sniffer/psnuffle
After interacting with a module you can manually set a ACTION with set ACTION 'Sniffer'

[*] Using auxiliary/sniffer/psnuffle
msf6 auxiliary(sniffer/psnuffle) > set interface docker0
interface => docker0
msf6 auxiliary(sniffer/psnuffle) > set protocols pop3
protocols => pop3
msf6 auxiliary(sniffer/psnuffle) > run
[*] Auxiliary module running as background job 0.

[*] Loaded protocol POP3 from /opt/metasploit-framework/embedded/framework/data/exploits/psnuffle/pop3.rb...
msf6 auxiliary(sniffer/psnuffle) > [*] Sniffing traffic.....
[-] Auxiliary failed: NoMethodError undefined method `strip' for nil:NilClass
[-] Call stack:
[-]   (eval):94:in `block in parse'
[-]   (eval):25:in `each_key'
[-]   (eval):25:in `parse'
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/sniffer/psnuffle.rb:92:in `block (2 levels) in run'
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/sniffer/psnuffle.rb:91:in `each_key'
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/sniffer/psnuffle.rb:91:in `block in run'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/capture.rb:171:in `block in each_packet'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/capture.rb:170:in `each'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/capture.rb:170:in `each_packet'
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/sniffer/psnuffle.rb:87:in `run'

nrathaus avatar Apr 05 '24 16:04 nrathaus

A fix proposed in https://github.com/rapid7/metasploit-framework/issues/18625

nrathaus avatar Apr 05 '24 16:04 nrathaus

@nrathaus I think you meant #19059

errorxyz avatar Apr 05 '24 17:04 errorxyz

No I meant #18625 as my fix directly addresses the banner extraction

nrathaus avatar Apr 07 '24 05:04 nrathaus