mod_negotiation metasploit aux modules

Posted: December 7, 2010 in security
Tags: , ,

A while ago I wrote about more efficient brute forcing if mod_negotiation is enabled. Also released a python script to automate this. Well now I’ve written some metasploit auxiliary modules that perform the same task. One module can be used to scan ranges for web servers that have it enabled, the other module can be used to actually brute force files. You can find them on github:

https://github.com/DiabloHorn/DiabloHorn/tree/5e495eb8553001946f4f98a79bd9542812de5b3e/metasploit/mod_negotiation

I’ve also made a redmine ticket on metasploit and submitted them, if you are lazy and just want to wait until metasploit includes them. Assuming they do, after all it’s my first attempt at contributing to metasploit and my code might not be up to the standards.

https://www.metasploit.com/redmine/issues/3257

For the ones paying attention to every detail, yes I fucked up and made a typo while submitting the ticket :)

If you want to use them you can place them in the following directory:

[metasploit-root]/modules/auxiliary/scanner/http/

After you’ve place them there, just fire up metasploit and perform a search for negotiation, they should show up in the results. If something goes wrong, read the code I didn’t do a lot of error checking. If you are wondering why I choose to make modules for the mod_negotiation issue…like always I wanted to learn something new and I was familiar with it so was more confident I could implement them. If it all went well it should all look like the following:

Search results

msf > search negotiation
[*] Searching loaded modules for pattern ‘negotiation’…

Auxiliary
=========

Name                                  Disclosure Date  Rank    Description
—-                                  —————  —-    ———–
scanner/http/mod_negotiation_brute                     normal  HTTP Mod Negotiation Bruter
scanner/http/mod_negotiation_scanner                   normal  HTTP Mod Negotiation Scanner

Scanner information

msf > info scanner/http/mod_negotiation_scanner

Name: HTTP Mod Negotiation Scanner
Version: 0.1
License: BSD License
Rank: Normal

Provided by:
diablohorn <diablohorn@gmail.com>

Basic options:
Name      Current Setting  Required  Description
—-      —————  ——–  ———–
FILENAME  index            yes       Filename to use as a test
PATH      /                yes       The path to detect mod_negotiation
Proxies                    no        Use a proxy chain
RHOSTS                     yes       The target address range or CIDR identifier
RPORT     80               yes       The target port
THREADS   1                yes       The number of concurrent threads
VHOST                      no        HTTP server virtual host

Description:
This module scans the webserver of the given host(s) for the
existence of mod_negotiate. Returns the ip if the host is
vulnerable.

Bruter information

msf > info scanner/http/mod_negotiation_brute

Name: HTTP Mod Negotiation Bruter
Version: 0.1
License: BSD License
Rank: Normal

Provided by:
diablohorn <diablohorn@gmail.com>

Basic options:
Name      Current Setting                                 Required  Description
—-      —————                                 ——–  ———–
FILEPATH  /opt/metasploit3/msf3/data/wmap/wmap_files.txt  yes       path to file with file names
PATH      /                                               yes       The path to detect mod_negotiation
Proxies                                                   no        Use a proxy chain
RHOSTS                                                    yes       The target address range or CIDR identifier
RPORT     80                                              yes       The target port
THREADS   1                                               yes       The number of concurrent threads
VHOST                                                     no        HTTP server virtual host

Description:
This module performs a brute force attack using mod_negotiation on
the given host(s). Returns the ip and the found file if the host is
vulnerable.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s