metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Modules still calling the deprecated report_auth_info method

Open bcoles opened this issue 7 years ago • 5 comments
trafficstars 

# grep -rn report_auth_info modules/
  • [ ] modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb:404: report_auth_info({
  • [ ] modules/auxiliary/sniffer/psnuffle.rb:135: def report_auth_info(*s)
  • [ ] modules/auxiliary/sniffer/psnuffle.rb:136: self.module.report_auth_info(*s)
  • [ ] modules/auxiliary/admin/scada/modicon_password_recovery.rb:184: report_auth_info(
  • [ ] modules/auxiliary/admin/scada/modicon_password_recovery.rb:234: # report_auth_info(
  • [ ] modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb:172: report_auth_info(
  • [x] modules/auxiliary/scanner/rservices/rsh_login.rb:247: report_auth_info(
  • [x] modules/auxiliary/scanner/rservices/rlogin_login.rb:328: report_auth_info(auth_info)
  • [x] modules/auxiliary/scanner/rservices/rexec_login.rb:161: report_auth_info(
  • [x] modules/auxiliary/server/capture/mssql.rb:272: report_auth_info(
  • [x] modules/auxiliary/server/capture/mssql.rb:530: report_auth_info(

bcoles avatar Jul 15 '18 12:07 bcoles 

# grep -rn report_auth_info data/exploits/psnuffle/
data/exploits/psnuffle/ftp.rb:43:          report_auth_info(s.merge({:active => false}))
data/exploits/psnuffle/ftp.rb:52:          report_auth_info(s)
data/exploits/psnuffle/smb.rb:174:              report_auth_info(
data/exploits/psnuffle/imap.rb:47:        report_auth_info(s)
data/exploits/psnuffle/imap.rb:55:        report_auth_info(s.merge({:active => false}))
data/exploits/psnuffle/imap.rb:62:        report_auth_info(s.merge({:active => false}))
data/exploits/psnuffle/pop3.rb:55:              report_auth_info(s)
data/exploits/psnuffle/pop3.rb:75:              report_auth_info(s)

bcoles avatar Jul 15 '18 12:07 bcoles

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] avatar Dec 02 '20 15:12 github-actions[bot]

Removing the stale label. Presumably, deprecated methods are deprecated for a reason.

# grep -rn report_auth_info modules/
modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb:404:      report_auth_info({
modules/auxiliary/admin/scada/modicon_password_recovery.rb:184:    report_auth_info(
modules/auxiliary/admin/scada/modicon_password_recovery.rb:234:    # report_auth_info(
modules/auxiliary/sniffer/psnuffle.rb:135:  def report_auth_info(*s)
modules/auxiliary/sniffer/psnuffle.rb:136:    self.module.report_auth_info(*s)
modules/auxiliary/server/capture/mssql.rb:270:      report_auth_info(
modules/auxiliary/server/capture/mssql.rb:528:        report_auth_info(
modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb:176:          report_auth_info(
modules/auxiliary/scanner/rservices/rlogin_login.rb:328:    report_auth_info(auth_info)
modules/auxiliary/scanner/rservices/rexec_login.rb:161:    report_auth_info(
modules/auxiliary/scanner/rservices/rsh_login.rb:247:    report_auth_info(

bcoles avatar Dec 02 '20 15:12 bcoles

Confirmed still an issue, and this output is pretty bad:

use server/capture/mssql
run

use auxiliary/scanner/mssql/mssql_login
msf6 auxiliary(scanner/mssql/mssql_login) > run rhosts=127.0.0.1 username=foo password=bar
[*] 127.0.0.1:1433        - 127.0.0.1:1433 - MSSQL - Starting authentication scanner.
[!] *** auxiliary/server/capture/mssql is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] MSSQL LOGIN 127.0.0.1:54292 foo / bar
[!] 127.0.0.1:1433        - No active DB -- Credential data will not be saved!
[-] 127.0.0.1:1433        - 127.0.0.1:1433 - LOGIN FAILED: WORKSTATION\foo:bar (Incorrect: )
[!] *** auxiliary/server/capture/mssql is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!]      https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!]      https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!]      https://github.com/rapid7/metasploit-framework/pull/5376
[!]      https://github.com/rapid7/metasploit-framework/pull/5377
[*] MSSQL LOGIN 127.0.0.1:54293 foo / <empty>
[-] 127.0.0.1:1433        - 127.0.0.1:1433 - LOGIN FAILED: WORKSTATION\foo: (Incorrect: )
[*] 127.0.0.1:1433        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mssql/mssql_login) >

adfoster-r7 avatar Dec 13 '21 12:12 adfoster-r7

From executing https://sourcegraph.com/search?q=context:%40tekwizz123/Metasploit-Framework+report_auth_info&patternType=standard&sm=1 it looks like there are also some documentation files that need updating:

  • [ ] docs/metasploit-framework.wiki/How-to-do-reporting-or-store-data-in-module-development.md
  • [ ] docs/metasploit-framework.wiki/Guidelines-for-Accepting-Modules-and-Enhancements.md
  • [ ] documentation/modules/auxiliary/scanner/rservices/rsh_login.md

The fact that we are suggesting that this is a method people should be using may be contributing to its usage.

I'd also add that we will need to update some of the spec files as well which appear to be using this:

  • [ ] spec/modules/auxiliary/scanner/lotus/lotus_domino_hashes_spec.rb
  • [ ] spec/support/shared/examples/msf/db_manager/cred.rb

And some of our scripts, but lets be honest these were dead in the water a long time ago and should just be removed anyway:

  • [ ] scripts/meterpreter/hashdump.rb

Lots in the pshuffle directory, some mentioned above:

  • [ ] data/exploits/psnuffle/pop3.rb
  • [ ] data/exploits/psnuffle/imap.rb
  • [ ] data/exploits/psnuffle/ftp.rb
  • [ ] data/exploits/psnuffle/url.rb
  • [ ] data/exploits/psnuffle/smb.rb

Also in some plugins:

  • [ ] plugins/db_credcollect.rb

Libraries:

  • [ ] lib/msf/core/auxiliary/report.rb <- Aka where the method is defined
  • [ ] lib/msf/core/db_manager/cred.rb

gwillcox-r7 avatar Dec 29 '22 23:12 gwillcox-r7

Closed by https://github.com/rapid7/metasploit-framework/pull/18398

adfoster-r7 avatar Jan 19 '24 00:01 adfoster-r7