Finding Exposed Http(s) Admin Pages

This post is a kinda fix for a really great series of posts by Chris Gates (@carnalownage), he wrote a blog post about finding exposed web admin pages on a network using Metasploit’s database, Firefox and a plugin called Linky, read it here http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-1-exposed-services.html

Since the article was written Rapid7/Metasploit devs chose to change the way web services are listed in the database of Metasploit, they changed them from ‘http’, ‘https’ to just plain ‘www’.

Oops edit the http and https labels have reappeared ! The script still should work just alter the services command to include http and https

I was on an internal network test this week and wanted to look for exposed web admin pages so I had to modify the ruby script that Chris wrote, not rocket science but the thing works now.

Continue reading

Installing Metasploit Framework GIT version

Recently with the release of Metasploit 4.5 the developers changed they way the framework is updated, previously it used to be done via ‘svn’, but due to various reasons it has been changed to be updated via ‘git’.

Also the developers chose to change the ‘Community’ version somewhat, they removed a large chunk of code that was kinda duplicated, this and other changes has altered the update frequency of the framework. The Community version now only receives updated modules etc on a weekly basis as the updates are QA’ed in the same way the Pro version is. The Community version also has to be activated to allow it to be updated also.

There is a way still to allow developers, pentesters or guys who just want the latest version. It follows the the ‘old way’ were the framework shipped without the database, but with support to connect to one.

I’ll show you here how to set up the git version of the framework, I did this on my pentesting laptop which runs Arch Linux, but as the framework is written in ‘ruby’ it should follow the same for any distro.

First off we need to install git, if you don’t already have it installed


sudo pacman -S git

Continue reading

Metasploit POST Module – Interesting Documents Finder

I wrote this metasploit post module to search and download files from compromised hosts.

Initial credit to @3vilJohn whose module inspired this. http://johnbabio.wordpress.com

It searches open Metasploit SESSIONS for file types Word, Excel, Pdf and user specified types.

It can enumerate and search specified drives too using a bit of Railgun Kung-Fu from Mubix, aka http://www.room362.com

You can set the dump location for the downloaded files and even attempt to elevate privileges with a Get_System function, useful for when you’re in as a un priv user.

Here’s some screenshots of it in action,

Continue reading

xStorm Cloud Based Vulnerability Scanner from RandomStorm

This is a follow up from my recent posts about the company RandomStorm and its products.

After my initial phone conversation they sent me a complementary access to their xStorm Cloud Based Vulnerability Scanner.

Well recently I had sometime to investigate, these are my findings, hope you enjoy.

First off this is only a brief look at this product, there is probably so much more to it than I can explore here with the limited trial that RandomStorm gave me.

OK, first your have to start up your browser, I choose Google Chrome, but Firefox or even Internet Explorer will suffice.

You will be met with a login screen

Continue reading