Metasploit mailing list archives
Auxiliary Module Questions
From: a10n3.s7r1k3r at gmail.com (Kashif Iftikhar)
Date: Fri, 20 Apr 2007 13:29:16 +0000
Hello again, Okay here I am again with more questions :-) 1. The Auxiliary::Report mixin has the "report_service" method, Looking at the DB schema, the "services" table has a "info" text field. However, the parameters passed to report_service (an opts hash) don't seem to take info into account. I can't find a way to populate the info field in the DB with extra info about the service. 2. The "vulns" and "vulns_refs" tables in the DB can get populated automatically when used with Exploit modules. But how about auxiliary modules? Is there a way to put data into those tables from within auxiliary modules. For example, I try to scan web servers for HTTP PUT and DELETE methods and when I find one that is exploitable, how do I put the extra info into the DB. One way is to utilize the info field in services but I guess the the vulns table is meant for that. So how can I use that? 3. The Auxiliary::Scanner mixin supports three methods "run_host(ip)", "run_range(range)" and "run_batch(batch)". My understanding is that these methods are exclusive and only one should be included in a module that wants scanner functionality. The run_host method gets called for each IP sepecified in by the RHOSTS option. But for run_range this gets tricky, the range parameter passed to run_range is a string so it is not iterable. How do I iterate through a range then? Do I need to manually process the string or is there another way? The Rex::Socket::RangeWalker is called for run_host and run_batch in scanner.rb but not for run_range. run_batch works fine for me as the batch is passed in as an array. Can someone explain why run_range doesn't get an array too so that it is easily iterable. 4. The second question about Auxiliary::Scanner is, run_host seems to process one IP at a time and goes in the traditional sequential flow. My understanding is that run_batch creates one thread for each batch to facilitate parallel scanning, am I correct about this one? And what about run_range again? How does parallel scanning/execution work with that? Does it create a thread for each IP in the range? All these 3 methods can be made to run in passive by specifying the auxiliary action in PassiveActions. Having these 3 different type of methods seems to point that they are meant for different scan requirements. So any suggestions or tips when to use which one? I guess when we want to limit the max no of threads instantiated (and bandwidth usage) then we use run_batch. I am still a bit unclear about run_range though. Thank you in advance for your help. - Kashif. On 4/17/07, mmiller at hick.org <mmiller at hick.org> wrote:
On Tue, Apr 17, 2007 at 05:48:50PM +0000, Kashif Iftikhar wrote:Hello, I am trying to put together an HTTP PUT/GET auxiliary module. I have a few questions regarding the working of auxiliary modules. 1. What is the difference between auxiliary actions (of class AuxiliaryAction) and auxiliary commands? Looking at the source code, the auxiliary_commands accessor function returns an empty dictionary ( { } ). Does this mean that auxiliary commands have not yet been implemented?Auxiliary commands allow you to add custom commands to the console interface. For example, there are builtin commands like 'exploit' and 'check' for exploit modules. Auxiliary modules by default all have the 'run' command. You can add additional commands through the auxiliary_commands method. Take a look at admin/backupexec/registry.rb for an example. These additional commands are only applicable to the one specific auxiliary module that defines them.2. Regarding auxiliary actions, I was able to add auxiliary actions by passing either 'Actions' => [AuxiliaryAction.new('PUT_FILE', {}), AuxiliaryAction.new('DELETE_FILE', {})], OR 'Actions' => [ ['My Aux action'] ], Looking at the constructor of AuxiliaryAction class, there is also an options dictionary/hash named opts that can be passed. For the time being I am passing it empty. What keys/values can come into opts? How do I add description for an action.This hash is to let you have dynamic variables associated with your actions. These only have meaning within your auxiliary module, and aren't displayed to end-users. For example, if you look at exploit modules, the Targets information hash element has a name and a hash of options. The concept is the same with auxiliary modules.doing 'show actions' in msfconsole just displays the action name without any description. I tried adding a 'Description' key to the opts passed to AuxiliaryAction class but it had no effect.There isn't a way at the moment to provide a description with actions. We could look into doing this by standardizing on some hash element keys such as 'Description'.3. How does an action become passive? Do I just include it in the PassiveActions list/array and it automatically gets to run as passive or are there other requirements?Yep, I believe this is all you need to do.4. Is there a way to monitor the status/progress of auxiliary scanner modules? Can this progress be monitored from the database without calling msfcli or msfconsole etc?You should be able to select from various tables, but I don't think there is a way to figure out "percentage" complete, for example.5. The auxiliary scanner modules provide three ways (scan host, scan range and scan batch) to do a scan. Exploring the source code, I was able to figure out these: * To scan a host the module should implement the run_host() method. * To scan a range, the run_range method should be implemented. * To scan a batch, the run_batch() method and also a batch_size accessor function should be implemented. My question is from where does the run_host(ip) method gets the IP, the run_range(range) method gets the range and the run_batch(batch) method gets the batch? How can a user specify a range or a batch using msfconsole?If I recall correctly, ranges are specified by setting RHOSTS to something like 10.0.0.0/8 or some other network address form.I am planning to write a tutorial on auxiliary modules developments and on some useful mixins like HttpClient, any other tips suggestions will also be greatly appreciated.Great! We look forward to seeing it. Feel free to send more questions to the list as you have them.
Current thread:
- Auxiliary Module Questions Kashif Iftikhar (Apr 17)
- Auxiliary Module Questions mmiller at hick.org (Apr 17)
- Auxiliary Module Questions Kashif Iftikhar (Apr 20)
- Auxiliary Module Questions mmiller at hick.org (Apr 17)