Skip navigation
All Places > Metasploit > Blog > Authors arzamendi

Metasploit

2 Posts authored by: arzamendi Employee

Pentester Pete here again. It’s nice to see ya’ll and thanks for coming back.  Have you ever had those times when you’re developing, updating, or when a Metasploit module throws a backtrace on ya, and you’re scratching your head asking yourself, “why me, what’s going on”? Well, I hope this blog will get you through those moments with as little pain as possible. That’s right, in this blog we’ll cry, laugh, and dance our way through debugging Metasploit modules.

 

Disclaimer: As a best practice you should never make changes to your master branch, it’s dangerous. Instead create a different branch for any additions or modifications. See the Metasploit Development Environment Guide for more information. ( https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Deve lopment-Environment)

 

First things first, we’ll need to setup our environment. All the mystical debugging magic happens with a really lobster gem called pry-debugger. What is pry-debugger? Well, pry-debugger “Adds step, next, finish, and continue commands along with breakpoints to Pry using debugger.” At this point you may be asking your self, what is Pry? “Pry is a powerful alternative to the standard IRB shell for Ruby. It features syntax highlighting, a flexible plugin architecture, runtime invocation and source and documentation browsing." (http://pry.github.com/). There aren’t enough electrons available to convey the awesomeness of pry.

 

Why do I think pry-debugger is so jiffy cool? You get the power of Pry with the added benefits of having a debugger. The ability to step though the code and see what’s happening gives me invaluable insight when trying to figure out why #{fill_in_the_blank} is not working.

 

How do I get pry-debugger installed? I’m glad you asked. You can use the gem command as follows: “gem install pry-debugger.” This command will install pry-debugger and any of the gems dependences. Now that we have the gem installed we can get to the nitty-gritty.

 

Edit the Gemfile file at the root of your Metasploit directory. Add the following line “gem “pry-debugger.”

 

Untitled.png

 

Now run bundle. This will rebuild the gem dependencies and include the pry-debugger gem. Voila, you will not need to add a “require pry-debugger” to each file you work with.

 

One thing to note: If you pull from the Metasploit framework repository and there is a change to Gemfile, you will have to re-add gem “pry-debugger” and rerun bundle.

 

Now let the fun begin! Lets pick a module to debug. For our example today I’ll use the owa_login module. This module is found under the modules/auxiliary/scanner/http/ directory.  Let’s say, for some reason an account that should work is failing and we want to see why.  Let’s crack open our favorite editor and look for the function that returns the response to our authentication request. We’ll looky-looky wookie, here on line 183 we see a call to send_request_cgi.

 

send_request_cgi.png

 

This is where we want to start debugging. To enable the debugger we add the line “binding.pry” right before the call as shown in the following example.

 

enable-pry.png

 

Now we save the module and fire up our always-trusty mfsconsole. If you are already in msfconsole and used the edit command to edit the file, you can save the file and type reload to refresh the module.  All righty, simple enough; now let’s start debugging!

 

Configure the modules’ options and run it.  Once the module reaches line 183, it will trigger the pry debugging statement. You should see the following screen indicating that the debugger had been triggered.

 

debugging-enabled.png

 

Now that we are in “debug mode” we have full access to any in-scope variables, constants, and functions that the module would have.  Let’s see what value the pass variable is set to. You simply use the p command and the variable name. The following figure demonstrates this. As shown, the pass variable is currently set to jeffy.

 

password.png

RAD, so now we know how to access the value of a variable, but I want more! Ok ok, so to step into the function you can use the command “step.” This will step you into the function. W00t we are now in the send_reqeust_cgi function. Now say you want to step over a function. This can be accomplished with the next command.

 

stepping.png

 

Now if you’re paying attention to the screenshots, you’re yelling at the screen saying, what used “s” to step.  You are correct. You can setup shortcuts so you don’t have the type the entire command. How to setup these shortcuts can be found here: https://github.com/nixme/pry-debugger#tips.

 

Now that we are in the send_request_cgi function. Let’s see what data is contained within our request. Can anyone guess what command we would use?????? That’s right the p command. To see what the request looks like we issue “p r” and boom, there’s our request data.

 

request-data.png

 

You can use the “continue” command to continue execution of the module.  The next time you’re stuck trying to figure out why something is not working, don’t forget about your buddy, pry-debugger.

 

This concludes our walk on the wild side of debugging Metasploit modules. I hope you enjoyed our brief tour.  May the bits be with you.

 

For more information on pry-debugger see: https://github.com/nixme/pry-debugger

For more information on Pry see http://pryrepl.org/

As a pentester for Rapid7 I use Metasploit a lot. I think one of the most overlooked features in Metasploit is the ability to create resource scripts. What are resource scripts you ask? “A resource file is essentially a batch script for Metasploit; using these files you can automate common tasks – H.D. Moore.”

 

There are several resource scripts included with Metasploit, one of which is port_cleaner.  If you’re like me you have had times when, after importing NMAP scan data, a bunch of cruft for closed and filtered ports shows up.  Well, port_cleaner cleans the cruft out and makes dealing with the data much easier.

 

Now to the real reason for this blog post; how to leverage the power of resource scripts.  I was on an assessment a while ago where my customer wanted to know which of its web servers were running weak SSL ciphers and the SSLv2 protocol. Like you, SSLScan is usually my go to tool for this task. I wanted to switch things up a bit. I use Metasploit’s database as a data repository for anything related to my penetration tests. So I started thinking, how can I get my SSLScan data into Metasploit? My first thought was to write a parser that would take SSLScan’s output and import it into Metasploit’s database. Well, this approach would help me get to my end goal (having the data in Metasploit), but it would require an additional step to get it there. There had to be a better way. My friends, Resource Scripts are that better way!

 

The true power of resource scripts lie in the ability to use most, if not all, of the functions available within Metasploit. In my case, @TheLightCosine has already written an awesome SSL scanner class in Metasploit. My goal was to leverage that scanner to identify weak SSL ciphers and protocol versions and dump the data into Metasploit’s database for reference and reporting.

 

My first concern was to figure out how to access the SSL scanner function via my resource script. Because resource scripts run in the context of the framework, you can access functions simply by calling them. The example below shows how this works. From within my resource script, I call the Rex::SSLScan::Scanner which creates a new scanner object for me to work with.

 

sslscanner-image.png

Creating a new SSLScan Scanner object for later use.

 

With that figured out, how might I run the scanner against all the hosts in my workspace that have SSL enabled? Never fear framework.db.workspace.services is here. I simply loop over each service entry looking for port 443 or https then sick the scanner on them.


host-lookup.png

Looping over services in workspace


Once I have the results I’m looking for, I use framework.db.report_note to store the data in my workspace. This allows me to later search the notes table for any hosts that have SSL notes associated with them.

 

 

db-note.png

Storing SSLScan data in notes table.

 

I hope this has shown you some of the power you can wield with resource scripts. A 5-minute investment on a resource script can save a ton of time in the end.

 

Additional references:

My SSL scan resource script-

https://gist.github.com/parzamendi-r7/bf216a71be19025fd51d

 

List of resource scripts included with Metasploit -

https://github.com/rapid7/metasploit-framework/tree/master/scripts/resource


Six Ways to Automate Metasploit-

https://community.rapid7.com/community/metasploit/blog/2011/12/08/six-ways-to-au tomate-metasploit

Filter Blog

By date: By tag: