Finding Exposed Http(s) Admin Pages

This post is a kinda fix for a really great series of posts by Chris Gates (@carnalownage), he wrote a blog post about finding exposed web admin pages on a network using Metasploit’s database, Firefox and a plugin called Linky, read it here http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-1-exposed-services.html

Since the article was written Rapid7/Metasploit devs chose to change the way web services are listed in the database of Metasploit, they changed them from ‘http’, ‘https’ to just plain ‘www’.

Oops edit the http and https labels have reappeared ! The script still should work just alter the services command to include http and https

I was on an internal network test this week and wanted to look for exposed web admin pages so I had to modify the ruby script that Chris wrote, not rocket science but the thing works now.

To get it all working;

Enter in ‘msfconsole’ the following;

services -s http,https,www -o /opt/framework/http-host.csv

This will output a file into your msfconsole folder, for me msfconsole is in /opt/framework, you should edit this to reflect your own installation.

Next copy this small ruby program and place the file into your metasploit folder, in my case /opt/framework, I called the file csv-html-linky-2.rb. This is the edited version of the script written by Chris Gates.

#!/usr/bin/ruby
require 'rubygems'
require 'csv'
list="/opt/framework/http-host.csv"
output=File.new("/opt/framework/http-host.html","w")
output.print("html")
CSV.foreach(list) do |brute|
 ip = brute[0]
 port = brute[1]
 output.print("<a href=\"http://#{ip}:#{port}\">http://#{ip}:#{port}</a>\n<br>")
end

Next thing is to run this script against the csv file generated by metasploit, once run the script will create a new file called http-host.html, you need to open this file with firefox.

Before you can open the links generated by the script, install the Firefox addon Linky. Then once the file is opened right click and open all links in tabs;

firefox-linky

firefox-linky2

Linky will then open all of the links on a separate tab for you to inspect and possibly enter credentials, hopefully default ones.

Enjoy

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s