Protocol detection

[hazcod]

Hi,

First if all, thanks for the project! I really like the idea.
The README mentions following example:

variable "target_host" {
  type = "string"
}
resource "nslookup" "nslookup" {
  dns_server = "8.8.4.4"
  host = "${var.target_host}"
}
resource "nmap" "nmap" {
  for_each = "${nslookup.ip_address}"
  host = "${each.key}"
}
// for each IP, check if nmap found port 25 open.
// if yes, run metasploit's smtp_enum scanner
resource "metasploit" "metasploit" {
  for_each = "${nslookup.ip_address}"
  exploit = "auxiliary/scanner/smtp/smtp_enum"
  options = {
    RHOSTS = "${each.key}"
  }
  plugin_enabled = "${nmap["${each.key}"].25 == "open"}"
}

However, most of the time you will need to detect the protocol and not rely on standard ports.
Is it currently possible to do so? e.g. launch a TLS scan for every port where (START)TLS was detected?

[stevenaldinger]

Thanks for checking it out! I really appreciate the feedback here too.

The examples are limited to my personal knowledge of tools right now but I'd be happy to add in that functionality. Is TLS detection something metasploit can do or do you have a tool you can refer me to? I'd love to write a plugin and add an example for that as early as this weekend if you can recommend a tool.

[stevenaldinger]

Are you familiar with this tool? It looks like it would accomplish what you're suggesting for SSL specifically.

Thanks again for your input, I'll add support for this to decker soon. Let me know if you know of other tools you'd recommend.

https://github.com/drwetter/testssl.sh

[hazcod]

nmap (which is already a plugin) could be used to do protocol detection.
e.g. nmap -O

[stevenaldinger]

You're absolutely right, thanks for the guidance!
Right now the nmap plugin is really basic and does not support passing in flags. I'll resolve this ASAP, it should be a quick update.

[stevenaldinger]

Just wanted you to know I started working on this, ran into an issue with a library the nmap plugin was using so it's taking a little longer than expected just to avoid making a mess. Thanks again for the feedback/suggestion.

You can expect something like this to be available soon:

variable "target_host" {
  type = "string"
}

resource "nmap" "nmap" {
  host = "${var.target_host}"
  type = "protocol_detection"
}

resource "metasploit" "metasploit" {
  for_each = "${nmap.port}"
  exploit = "auxiliary/scanner/ssh/ssh_login"
  options = {
    RHOSTS = "${var.target_host}"
    RPORT = "${each.key}"
    USERPASS_FILE = "/usr/share/metasploit-framework/data/wordlists/root_userpass.txt"
  }
  plugin_enabled = "${nmap["${each.key}"].protocol == "ssh"}"
}

[stevenaldinger]

I wasn't sure if I'd have time to finish this this weekend so pushed up a separate plugin specifically for this purpose. It's pretty rough but will be refactored soon and merged with the existing nmap plugin. It also works a bit differently than I mentioned earlier for now and is dangerous, it'll likely panic if you tell it to run on all ssh ports and none are found. (that'll be fixed soon too)

In the mean time there's an example config file here.

It'll look like this (make sure the plugin is nmap_protocol_detection and not just nmap) and will run on every port it discovers is ssh:

resource "nmap_protocol_detection" "nmap" {
  host = "${var.target_host}"
  type = "protocol_detection"
}

resource "metasploit" "metasploit" {
  for_each = "${nmap.ssh}"
  exploit = "auxiliary/scanner/ssh/ssh_login"
  options = {
    RHOSTS = "${var.target_host}"
    RPORT = "${each.key}"
    USERPASS_FILE = "/usr/share/metasploit-framework/data/wordlists/root_userpass.txt"
}

You can run the example with ./decker ./examples/nmap-protocols.hcl

[acarnage]

Dumb question here : If an host has 2 ssh services running, let's say 22 and 2222. Will the foreach loop process each port ?

[stevenaldinger]

Thats correct, in that case both ports would be processed. nmap.ssh ends up being a list of ports open with that service detected and the for each grabs one at a time from the list and substitutes it into "${each.key}".

nmap.ssh = ["22", "2222"]

[acarnage]

Hey !
I'm trying to build a first plugin basically launching "dirb" against an URL.
I wonder how i can write the hcl code in order to target 2 urls. My following attempts fail with "index out of range"

resource "dirb" "dirb" { for_each = ["https://www.google.fr","https://www.google.com"] target="${each.key}" }