Module: Msf::Auxiliary::Report

Overview

This module provides methods for reporting data to the DB

Instance Method Summary collapse

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Method Details

#active_db?Boolean

This method overrides the method from Metasploit::Credential to check for an active db

Returns:

  • (Boolean)


78
79
80
# File 'lib/msf/core/auxiliary/report.rb', line 78

def active_db?
  framework.db.active
end

#create_cracked_credential(opts = {}) ⇒ Object



27
28
29
30
31
32
33
34
35
# File 'lib/msf/core/auxiliary/report.rb', line 27

def create_cracked_credential(opts={})
  if active_db?
    opts = { :task_id => mytask.id }.merge(opts) if mytask
    framework.db.create_cracked_credential(opts)
  elsif !db_warning_given?
    vprint_warning('No active DB -- Credential data will not be saved!')
    nil
  end
end

#create_credential(opts = {}) ⇒ Object



37
38
39
40
41
42
43
44
45
# File 'lib/msf/core/auxiliary/report.rb', line 37

def create_credential(opts={})
  if active_db?
    opts = { :task_id => mytask.id }.merge(opts) if mytask
    framework.db.create_credential(opts)
  elsif !db_warning_given?
    vprint_warning('No active DB -- Credential data will not be saved!')
    nil
  end
end

#create_credential_and_login(opts = {}) ⇒ Object



57
58
59
60
61
62
63
64
65
# File 'lib/msf/core/auxiliary/report.rb', line 57

def (opts={})
  if active_db?
    opts = { :task_id => mytask.id }.merge(opts) if mytask
    framework.db.(opts)
  elsif !db_warning_given?
    vprint_warning('No active DB -- Credential data will not be saved!')
    nil
  end
end

#create_credential_login(opts = {}) ⇒ Object



47
48
49
50
51
52
53
54
55
# File 'lib/msf/core/auxiliary/report.rb', line 47

def (opts={})
  if active_db?
    opts = { :task_id => mytask.id }.merge(opts) if mytask
    framework.db.(opts)
  elsif !db_warning_given?
    vprint_warning('No active DB -- Credential data will not be saved!')
    nil
  end
end

#dbObject

Shortcut method for detecting when the DB is active



83
84
85
# File 'lib/msf/core/auxiliary/report.rb', line 83

def db
  framework.db.active
end

#db_warning_given?Boolean

Returns:

  • (Boolean)


18
19
20
21
22
23
24
25
# File 'lib/msf/core/auxiliary/report.rb', line 18

def db_warning_given?
  if @warning_issued
    true
  else
    @warning_issued = true
    false
  end
end

#get_client(opts = {}) ⇒ Object



161
162
163
164
165
# File 'lib/msf/core/auxiliary/report.rb', line 161

def get_client(opts={})
  return if not db
  opts = {:workspace => myworkspace}.merge(opts)
  framework.db.get_client(opts)
end

#get_host(opts) ⇒ Object



138
139
140
141
142
# File 'lib/msf/core/auxiliary/report.rb', line 138

def get_host(opts)
  return if not db
  opts = {:workspace => myworkspace}.merge(opts)
  framework.db.get_host(opts)
end

#inside_workspace_boundary?(ip) ⇒ Boolean

Returns:

  • (Boolean)


113
114
115
116
117
# File 'lib/msf/core/auxiliary/report.rb', line 113

def inside_workspace_boundary?(ip)
  return true if not framework.db.active
  allowed = myworkspace.allow_actions_on?(ip)
  return allowed
end

#invalidate_login(opts = {}) ⇒ Object



67
68
69
70
71
72
73
74
75
# File 'lib/msf/core/auxiliary/report.rb', line 67

def (opts={})
  if active_db?
    opts = { :task_id => mytask.id }.merge(opts) if mytask
    framework.db.(opts)
  elsif !db_warning_given?
    vprint_warning('No active DB -- Credential data will not be saved!')
    nil
  end
end

#mytaskObject



103
104
105
106
107
108
109
110
111
# File 'lib/msf/core/auxiliary/report.rb', line 103

def mytask
  if self.respond_to?(:[]) && self[:task]
    return self[:task].record
  elsif @task && @task.class == Mdm::Task
    return @task
  else
    return nil
  end
end

#myworkspaceObject



87
88
89
# File 'lib/msf/core/auxiliary/report.rb', line 87

def myworkspace
  @myworkspace = framework.db.find_workspace(self.workspace)
end

#myworkspace_idNilClass, Integer

This method safely get the workspace ID. It handles if the db is not active

Returns:

  • (NilClass)

    if there is no DB connection

  • (Integer)

    the ID of the current Mdm::Workspace



95
96
97
98
99
100
101
# File 'lib/msf/core/auxiliary/report.rb', line 95

def myworkspace_id
  if framework.db.active
    myworkspace.id
  else
    nil
  end
end

#report_auth_info(opts = {}) ⇒ Object

This Legacy method is responsible for creating credentials from data supplied by a module. This method is deprecated and the new Metasploit::Credential methods should be used directly instead.

Parameters:

  • opts (Hash) (defaults to: {})

    the option hash

Options Hash (opts):

  • :host (String)

    the address of the host (also takes a Mdm::Host)

  • :port (Integer)

    the port of the connected service

  • :service (Mdm::Service)

    an optional Service object to build the cred for

  • :type (String)

    What type of private credential this is (e.g. "password", "hash", "ssh_key")

  • :proto (String)

    Which transport protocol the service uses

  • :sname (String)

    The 'name' of the service

  • :user (String)

    The username for the cred

  • :pass (String)

    The private part of the credential (e.g. password)

Raises:

  • (ArgumentError)


201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
# File 'lib/msf/core/auxiliary/report.rb', line 201

def report_auth_info(opts={})
  print_warning("*** #{self.fullname} is still calling the deprecated report_auth_info method! This needs to be updated!")
  print_warning('*** For detailed information about LoginScanners and the Credentials objects see:')
  print_warning('     https://docs.metasploit.com/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html')
  print_warning('     https://docs.metasploit.com/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html')
  print_warning('*** For examples of modules converted to just report credentials without report_auth_info, see:')
  print_warning('     https://github.com/rapid7/metasploit-framework/pull/5376')
  print_warning('     https://github.com/rapid7/metasploit-framework/pull/5377')
  return unless db
  raise ArgumentError.new("Missing required option :host") if opts[:host].nil?
  raise ArgumentError.new("Missing required option :port") if (opts[:port].nil? and opts[:service].nil?)

  if opts[:host].is_a?(::Mdm::Host)
    host = opts[:host].address
  else
    host = opts[:host]
  end

  type = :password
  case opts[:type]
    when "password"
      type = :password
    when "hash"
      type = :nonreplayable_hash
    when "ssh_key"
      type = :ssh_key
  end

  case opts[:proto]
    when "tcp"
      proto = "tcp"
    when "udp"
      proto = "udp"
    else
      proto = "tcp"
  end

  if opts[:service] && opts[:service].is_a?(Mdm::Service)
    port         = opts[:service].port
    proto        = opts[:service].proto
    service_name = opts[:service].name
    host         = opts[:service].host.address
  else
    port         = opts.fetch(:port)
    service_name = opts.fetch(:sname, nil)
  end

  username = opts.fetch(:user, nil)
  private  = opts.fetch(:pass, nil)

  service_data = {
    address: host,
    port: port,
    service_name: service_name,
    protocol: proto,
    workspace_id: myworkspace_id
  }

  if self.type == "post"
    credential_data = {
      origin_type: :session,
      session_id: session_db_id,
      post_reference_name: self.refname
    }
  else
    credential_data = {
      origin_type: :service,
      module_fullname: self.fullname
    }
    credential_data.merge!(service_data)
  end

  unless private.nil?
    credential_data[:private_type] = type
    credential_data[:private_data] = private
  end

  unless username.nil?
    credential_data[:username] = username
  end

  credential_core = create_credential(credential_data)

   ={
    core: credential_core,
    status: Metasploit::Model::Login::Status::UNTRIED
  }
  .merge!(service_data)
  ()
end

#report_client(opts = {}) ⇒ Object

Report a client connection

Parameters:

  • opts (Hash) (defaults to: {})

    report client information based on user-agent

Options Hash (opts):

  • :host (String)

    the address of the client connecting

  • :ua_string (String)

    a string that uniquely identifies this client

  • :ua_name (String)

    a brief identifier for the client, e.g. "Firefox"

  • :ua_ver (String)

    the version number of the client, e.g. "3.0.11"



152
153
154
155
156
157
158
159
# File 'lib/msf/core/auxiliary/report.rb', line 152

def report_client(opts={})
  return if not db
  opts = {
      :workspace => myworkspace,
      :task => mytask
  }.merge(opts)
  framework.db.report_client(opts)
end

#report_exploit(opts = {}) ⇒ Object

This will simply log a deprecation warning, since report_exploit() is no longer implemented.



327
328
329
330
331
332
333
334
# File 'lib/msf/core/auxiliary/report.rb', line 327

def report_exploit(opts={})
  return if not db
  opts = {
      :workspace => myworkspace,
      :task => mytask
  }.merge(opts)
  framework.db.report_exploit(opts)
end

#report_host(opts) ⇒ Object

Report a host’s liveness and attributes such as operating system and service pack

opts must contain :host, which is an IP address identifying the host you’re reporting about

See data/sql/*.sql and lib/msf/core/db.rb for more info



129
130
131
132
133
134
135
136
# File 'lib/msf/core/auxiliary/report.rb', line 129

def report_host(opts)
  return if not db
  opts = {
    :workspace => myworkspace,
    :task => mytask
  }.merge(opts)
  framework.db.report_host(opts)
end

#report_loot(opts = {}) ⇒ Object



336
337
338
339
340
341
342
343
# File 'lib/msf/core/auxiliary/report.rb', line 336

def report_loot(opts={})
  return if not db
  opts = {
      :workspace => myworkspace,
      :task => mytask
  }.merge(opts)
  framework.db.report_loot(opts)
end

#report_note(opts = {}) ⇒ Object



179
180
181
182
183
184
185
186
# File 'lib/msf/core/auxiliary/report.rb', line 179

def report_note(opts={})
  return if not db
  opts = {
      :workspace => myworkspace,
      :task => mytask
  }.merge(opts)
  framework.db.report_note(opts)
end

#report_service(opts = {}) ⇒ Object

Report detection of a service



170
171
172
173
174
175
176
177
# File 'lib/msf/core/auxiliary/report.rb', line 170

def report_service(opts={})
  return if not db
  opts = {
      :workspace => myworkspace,
      :task => mytask
  }.merge(opts)
  framework.db.report_service(opts)
end

#report_vuln(opts = {}) ⇒ Object



292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
# File 'lib/msf/core/auxiliary/report.rb', line 292

def report_vuln(opts={})
  return if not db
  opts = {
      :workspace => myworkspace,
      :task => mytask
  }.merge(opts)
  vuln = framework.db.report_vuln(opts)

  raise Msf::ValidationError, "Failed to report vuln for #{opts[:host]}:#{opts[:port]} to the database" if vuln.nil?

  # add vuln attempt audit details here during report

  timestamp  = opts[:timestamp]
  username   = opts[:username]
  mname      = self.fullname # use module name when reporting attempt for correlation

  # report_vuln is only called in an identified case, consider setting value reported here
  attempt_info = {
      :vuln_id      => vuln.id,
      :attempted_at => timestamp || Time.now.utc,
      :exploited    => false,
      :fail_detail  => 'vulnerability identified',
      :fail_reason  => 'Untried', # Mdm::VulnAttempt::Status::UNTRIED, avoiding direct dependency on Mdm, used elsewhere in this module
      :module       => mname,
      :username     => username  || "unknown",
  }

  # TODO: figure out what opts are required and why the above logic doesn't match that of the db_manager method
  framework.db.report_vuln_attempt(vuln, attempt_info)

  vuln
end

#report_web_form(opts = {}) ⇒ Object



363
364
365
366
367
368
369
370
# File 'lib/msf/core/auxiliary/report.rb', line 363

def report_web_form(opts={})
  return if not db
  opts = {
      :workspace => myworkspace,
      :task => mytask
  }.merge(opts)
  framework.db.report_web_form(opts)
end

#report_web_page(opts = {}) ⇒ Object



354
355
356
357
358
359
360
361
# File 'lib/msf/core/auxiliary/report.rb', line 354

def report_web_page(opts={})
  return if not db
  opts = {
      :workspace => myworkspace,
      :task => mytask
  }.merge(opts)
  framework.db.report_web_page(opts)
end

#report_web_site(opts = {}) ⇒ Object



345
346
347
348
349
350
351
352
# File 'lib/msf/core/auxiliary/report.rb', line 345

def report_web_site(opts={})
  return if not db
  opts = {
      :workspace => myworkspace,
      :task => mytask
  }.merge(opts)
  framework.db.report_web_site(opts)
end

#report_web_vuln(opts = {}) ⇒ Object



372
373
374
375
376
377
378
379
# File 'lib/msf/core/auxiliary/report.rb', line 372

def report_web_vuln(opts={})
  return if not db
  opts = {
      :workspace => myworkspace,
      :task => mytask
  }.merge(opts)
  framework.db.report_web_vuln(opts)
end

#store_cred(opts = {}) ⇒ Object

Takes a credential from a script (shell or meterpreter), and sources it correctly to the originating user account or session. Note that the passed-in session ID should be the Session.local_id, which will be correlated with the Session.id



528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
# File 'lib/msf/core/auxiliary/report.rb', line 528

def store_cred(opts={})
  if [opts[:port],opts[:sname]].compact.empty?
    raise ArgumentError, "Missing option: :sname or :port"
  end
  cred_opts = opts
  cred_opts = opts.merge(:workspace => myworkspace)
  cred_opts = { :task_id => mytask.id }.merge(cred_opts) if mytask
  cred_host = myworkspace.hosts.find_by_address(cred_opts[:host])
  unless opts[:port]
    possible_services = myworkspace.services.where(host_id: cred_host[:id], name: cred_opts[:sname])
    case possible_services.size
    when 0
      case cred_opts[:sname].downcase
      when "smb"
        cred_opts[:port] = 445
      when "ssh"
        cred_opts[:port] = 22
      when "telnet"
        cred_opts[:port] = 23
      when "snmp"
        cred_opts[:port] = 161
        cred_opts[:proto] = "udp"
      else
        raise ArgumentError, "No matching :sname found to store this cred."
      end
    when 1
      cred_opts[:port] = possible_services.first[:port]
    else # SMB should prefer 445. Everyone else, just take the first hit.
      if (cred_opts[:sname].downcase == "smb") && possible_services.map {|x| x[:port]}.include?(445)
        cred_opts[:port] = 445
      elsif (cred_opts[:sname].downcase == "ssh") && possible_services.map {|x| x[:port]}.include?(22)
        cred_opts[:port] = 22
      else
        cred_opts[:port] = possible_services.first[:port]
      end
    end
  end
  if opts[:collect_user]
    cred_service = cred_host.services.find_by_host_id(cred_host[:id])
    myworkspace.creds.sort {|a,b| a.created_at.to_f}.each do |cred|
      if(cred.user.downcase == opts[:collect_user].downcase &&
         cred.pass == opts[:collect_pass]
        )
        cred_opts[:source_id] ||= cred.id
        cred_opts[:source_type] ||= cred_opts[:collect_type]
        break
      end
    end
  end
  if opts[:collect_session]
    session = myworkspace.sessions.where(local_id: opts[:collect_session]).last
    if !session.nil?
      cred_opts[:source_id] = session.id
      cred_opts[:source_type] = "exploit"
    end
  end
  print_status "Collecting #{cred_opts[:user]}:#{cred_opts[:pass]}"
  framework.db.report_auth_info(cred_opts)
end

#store_local(ltype = nil, ctype = nil, data = nil, filename = nil) ⇒ Object

Store some locally-generated data as a file, similar to store_loot. Sometimes useful for keeping artifacts of an exploit or auxiliary module, such as files from fileformat exploits. (TODO: actually implement this on file format modules.)

filename is the local file name.

data is the actual contents of the file

Also stores metadata about the file in the database when available. ltype is an OID-style loot type, e.g. “cisco.ios.config”. Ignored when no database is connected.

ctype is the Content-Type, e.g. “text/plain”. Ignored when no database is connected.



473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
# File 'lib/msf/core/auxiliary/report.rb', line 473

def store_local(ltype=nil, ctype=nil, data=nil, filename=nil)
  if ! ::File.directory?(Msf::Config.local_directory)
    FileUtils.mkdir_p(Msf::Config.local_directory)
  end

  # Split by fname an extension
  if filename and not filename.empty?
    if filename =~ /(.*)\.(.*)/
      ext = $2
      fname = $1
    else
      fname = filename
    end
  else
    fname = ctype || "local_#{Time.now.utc.to_i}"
  end

  # Split by path separator
  fname = ::File.split(fname).last

  case ctype # Probably could use more cases
  when "text/plain"
    ext ||= "txt"
  when "text/xml"
    ext ||= "xml"
  when "text/html"
    ext ||= "html"
  when "application/pdf"
    ext ||= "pdf"
  else
    ext ||= "bin"
  end

  fname.gsub!(/[^a-z0-9\.\_\-]+/i, '')
  fname << ".#{ext}"

  ltype.gsub!(/[^a-z0-9\.\_\-]+/i, '')

  path = File.join(Msf::Config.local_directory, fname)
  full_path = ::File.expand_path(path)
  File.open(full_path, "wb") { |fd| fd.write(data) }

  # This will probably evolve into a new database table
  report_note(
    :data => full_path.dup,
    :type => "#{ltype}.localpath"
  )

  return full_path.dup
end

#store_loot(ltype, ctype, host, data, filename = nil, info = nil, service = nil, &block) ⇒ Object

Store some data stolen from a session as a file

Also stores metadata about the file in the database when available ltype is an OID-style loot type, e.g. “cisco.ios.config”. Ignored when no database is connected.

ctype is the Content-Type, e.g. “text/plain”. Affects the extension the file will be saved with.

host can be an String address or a Session object

data is the actual contents of the file

filename and info are only stored as metadata, and therefore both are ignored if there is no database



398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
# File 'lib/msf/core/auxiliary/report.rb', line 398

def store_loot(ltype, ctype, host, data, filename=nil, info=nil, service=nil, &block)
  if ! ::File.directory?(Msf::Config.loot_directory)
    FileUtils.mkdir_p(Msf::Config.loot_directory)
  end

  ext = 'bin'
  if filename
    parts = filename.to_s.split('.')
    if parts.length > 1 and parts[-1].length <= 6
      ext = parts[-1]
    end
  end

  case ctype
  when /^text\/[\w\.]+$/
    ext = "txt"
  end
  # This method is available even if there is no database, don't bother checking
  host = Msf::Util::Host.normalize_host(host)

  ws = (db ? myworkspace.name[0,16] : 'default')
  name =
    Time.now.strftime("%Y%m%d%H%M%S") + "_" + ws + "_" +
    (host || 'unknown') + '_' + ltype[0,16] + '_' +
    Rex::Text.rand_text_numeric(6) + '.' + ext

  name.gsub!(/[^a-z0-9\.\_]+/i, '')

  path = File.join(Msf::Config.loot_directory, name)
  full_path = ::File.expand_path(path)
  File.open(full_path, "wb") do |fd|
    fd.write(data)
  end

  if (db)
    # If we have a database we need to store it with all the available
    # metadata.
    conf = {}
    conf[:host] = host if host
    conf[:type] = ltype
    conf[:content_type] = ctype
    conf[:path] = full_path
    conf[:workspace] = myworkspace
    conf[:name] = filename if filename
    conf[:info] = info if info
    conf[:data] = data unless data.nil?

    if service and service.kind_of?(::Mdm::Service)
      conf[:service] = service if service
    end

    loot = framework.db.report_loot(conf)
    yield loot if block_given?
  end

  return full_path.dup
end