[GSOC] Post-exploitation API improvements and pseudo_shell (metashell) module added

[AlbertoCoding]

Description

Post-Exploitation API improvements integrated in already existing libraries and the pseudo-shell module added to the project.

This is a first version of the pseudo-shell module. It will use only available commands in the device. If you need to use a specific command (such as cat, ls, whoami,…) and it does not exist in this specific limited shell, it will try to simulate it with simpler native Linux commands available (for example, with the echo command and processing the data obtained in our machine with ruby).

Verification

List of steps needed to make sure this thing works

• Start msfconsole
• Get a valid remote shell session
• Load the pseudo_shell post-exploitation module:
  use post/linux/manage/pseudo_shell
• Set session id (set SESSION 1)
• Review and set module options and run
• Verify the thing does what it should

Example

msfconsole
use auxiliary/scanner/ssh/ssh_login
set RHOST 192.168.1.1
set USERNAME admin
set PASSWORD admin
run
use post/linux/manage/pseudo_shell
set SESSION 1
run

[wvu]

Can we name this something other than "Vulnerateca Post-Exploitation Framework (VPEF)?" That name is too obscure, already trademarked, turned into an acronym, and exists within a greater framework already.

[wvu]

Unless I guess Vulnerateca is your company. But this is really a contribution toward Metasploit Framework's post exploitation capabilities, so a generic name will suffice!

[jmartin-tech]

Please note: "Metasploit requires spaces instead of hard tabs"

See https://github.com/rapid7/metasploit-framework/wiki/Style-Tips

Travis tests are failing early due to \t.

[AlbertoCoding]

Ok, thank you very much for the feedback!
I agree with you so I'm going to work on changing these things now.
By the way, do I need to create a new PR once I have all changes done on my repository, or if I just push to my branch [ AlbertoCoding: vpef ], changes will be shown here automatically?

[wvu]

You can push to your branch. The PR will be updated accordingly.

[sempervictus]

Cool stuff, thank you. We need to ween off specific binaries for more generic and quiet functionality.
The lib code might be better off integrated to the current library calls for access mechanisms so its used by all consumers - the framework is neat that way, you can shim in functionality for tons of existing code underneath.
Far as the modules go, they're not really collecting anything so much as displaying it... Storing loot, creds, notes, and any relevant named model properties is paramount for other modules to use this information down the line.
Agree with others that the naming piece is a bit much. Leave the company name in the email, and keep the code as close to existing standards as possible. There's free marketing enough from building cool things people use, branding doesn't belong in code outside a copyright header.

[bcoles]

+1 for removing pepa from namespace
+1 for integrating this functionality into existing post libs

[wvu]

Yep, agree with @sempervictus and @bcoles about working within the Post API.

That's the point I was trying to make in previous conversations. The API was designed to be portable, but then the code diverged from that. Make it right again. :)

Also, yeah, modules shouldn't be written for primitives, IMHO. You should add or enhance primitives in the library code, then write modules to use them. In your case, you'll be writing an interface.

[AlbertoCoding]

Thank you everyone for all the suggestions and comments.
All the suggested fixes and changes have been already applied.

[bcoles]

Has this PR been rebased with master? It looks like it nukes the changes made to lib/msf/core/post/common.rb in 9eb5700.

[bcoles]

Bump @asoto-r7 @sempervictus @wvu-r7

[sempervictus]

I'll check if this works under grsec, but if not, we may wanna check perms before we try a read, or we will be logged.

[wvu]

Merging master again to pass the build.

[wvu]

whoami and missing username in prompt fixed.

[wvu]

Privilege-specific prompt character added. SessionTypes updated to include Meterpreter.

[wvu]

meterpreter > run post/linux/manage/pseudo_shell
root@ubuntu-xenial:/vagrant# help

Commands Help
==============

	Command             Description
	-------             -----------
	?                   Show current help
	cat                 Show file contents
	cd                  Change current directory
	clear               Clear screen
	exit                Exit the Pseudo-shell
	groups              Show list of groups
	help                Show current help
	hostname            Show current Hostname
	interfaces          Show list of network interfaces
	ips                 Show list of current IP addresses
	isroot?             Show if current user has root permisions
	ls                  List files and folders in a directory
	macs                Show list of MAC addresses
	path                Show current directories included in $PATH enviroment variable
	pwd                 Show current PATH
	shell               Show current SHELL
	tcp_ports           Show list of listen TCP ports
	udp_ports           Show list of listen UDP ports
	users               Show list of users
	whoami              Show current user

root@ubuntu-xenial:/vagrant# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
root@ubuntu-xenial:/vagrant# cd /
root@ubuntu-xenial:/# groups
{:name=>"root", :gid=>"0", :users=>nil}
{:name=>"daemon", :gid=>"1", :users=>nil}
{:name=>"bin", :gid=>"2", :users=>nil}
{:name=>"sys", :gid=>"3", :users=>nil}
{:name=>"adm", :gid=>"4", :users=>"syslog,ubuntu"}
{:name=>"tty", :gid=>"5", :users=>nil}
{:name=>"disk", :gid=>"6", :users=>nil}
{:name=>"lp", :gid=>"7", :users=>nil}
{:name=>"mail", :gid=>"8", :users=>nil}
{:name=>"news", :gid=>"9", :users=>nil}
{:name=>"uucp", :gid=>"10", :users=>nil}
{:name=>"man", :gid=>"12", :users=>nil}
{:name=>"proxy", :gid=>"13", :users=>nil}
{:name=>"kmem", :gid=>"15", :users=>nil}
{:name=>"dialout", :gid=>"20", :users=>"ubuntu"}
{:name=>"fax", :gid=>"21", :users=>nil}
{:name=>"voice", :gid=>"22", :users=>nil}
{:name=>"cdrom", :gid=>"24", :users=>"ubuntu"}
{:name=>"floppy", :gid=>"25", :users=>"ubuntu"}
{:name=>"tape", :gid=>"26", :users=>nil}
{:name=>"sudo", :gid=>"27", :users=>"ubuntu"}
{:name=>"audio", :gid=>"29", :users=>"ubuntu"}
{:name=>"dip", :gid=>"30", :users=>"ubuntu"}
{:name=>"www-data", :gid=>"33", :users=>nil}
{:name=>"backup", :gid=>"34", :users=>nil}
{:name=>"operator", :gid=>"37", :users=>nil}
{:name=>"list", :gid=>"38", :users=>nil}
{:name=>"irc", :gid=>"39", :users=>nil}
{:name=>"src", :gid=>"40", :users=>nil}
{:name=>"gnats", :gid=>"41", :users=>nil}
{:name=>"shadow", :gid=>"42", :users=>nil}
{:name=>"utmp", :gid=>"43", :users=>nil}
{:name=>"video", :gid=>"44", :users=>"ubuntu"}
{:name=>"sasl", :gid=>"45", :users=>nil}
{:name=>"plugdev", :gid=>"46", :users=>"ubuntu"}
{:name=>"staff", :gid=>"50", :users=>nil}
{:name=>"games", :gid=>"60", :users=>nil}
{:name=>"users", :gid=>"100", :users=>nil}
{:name=>"nogroup", :gid=>"65534", :users=>nil}
{:name=>"systemd-journal", :gid=>"101", :users=>nil}
{:name=>"systemd-timesync", :gid=>"102", :users=>nil}
{:name=>"systemd-network", :gid=>"103", :users=>nil}
{:name=>"systemd-resolve", :gid=>"104", :users=>nil}
{:name=>"systemd-bus-proxy", :gid=>"105", :users=>nil}
{:name=>"input", :gid=>"106", :users=>nil}
{:name=>"crontab", :gid=>"107", :users=>nil}
{:name=>"syslog", :gid=>"108", :users=>nil}
{:name=>"netdev", :gid=>"109", :users=>"ubuntu"}
{:name=>"lxd", :gid=>"110", :users=>"ubuntu"}
{:name=>"messagebus", :gid=>"111", :users=>nil}
{:name=>"uuidd", :gid=>"112", :users=>nil}
{:name=>"ssh", :gid=>"113", :users=>nil}
{:name=>"mlocate", :gid=>"114", :users=>nil}
{:name=>"admin", :gid=>"115", :users=>nil}
{:name=>"vboxsf", :gid=>"116", :users=>nil}
{:name=>"vagrant", :gid=>"1000", :users=>nil}
{:name=>"ubuntu", :gid=>"1001", :users=>nil}
{:name=>"docker", :gid=>"117", :users=>nil}
root@ubuntu-xenial:/# hostname
ubuntu-xenial
root@ubuntu-xenial:/# interfaces
docker0
enp0s3
enp0s8
lo
vethd58216e
root@ubuntu-xenial:/# ips
10.0.2.15
127.0.0.1
172.17.0.1
172.28.128.3
root@ubuntu-xenial:/# isroot?
true
root@ubuntu-xenial:/# ls
bin
boot
dev
etc
home
initrd.img
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
vagrant
var
vmlinuz
root@ubuntu-xenial:/# macs
02:42:8b:1a:9c:2e
02:6c:72:8e:02:ff
08:00:27:1b:1a:e3
00:00:00:00:00:00
82:f5:3c:5b:05:ff
root@ubuntu-xenial:/# path
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
root@ubuntu-xenial:/# shell
sh
root@ubuntu-xenial:/# tcp_ports
22
root@ubuntu-xenial:/# udp_ports
68
root@ubuntu-xenial:/# users
{:name=>"root", :uid=>"0", :gid=>"0", :info=>"root", :dir=>"/root", :shell=>"/bin/bash"}
{:name=>"daemon", :uid=>"1", :gid=>"1", :info=>"daemon", :dir=>"/usr/sbin", :shell=>"/usr/sbin/nologin"}
{:name=>"bin", :uid=>"2", :gid=>"2", :info=>"bin", :dir=>"/bin", :shell=>"/usr/sbin/nologin"}
{:name=>"sys", :uid=>"3", :gid=>"3", :info=>"sys", :dir=>"/dev", :shell=>"/usr/sbin/nologin"}
{:name=>"sync", :uid=>"4", :gid=>"65534", :info=>"sync", :dir=>"/bin", :shell=>"/bin/sync"}
{:name=>"games", :uid=>"5", :gid=>"60", :info=>"games", :dir=>"/usr/games", :shell=>"/usr/sbin/nologin"}
{:name=>"man", :uid=>"6", :gid=>"12", :info=>"man", :dir=>"/var/cache/man", :shell=>"/usr/sbin/nologin"}
{:name=>"lp", :uid=>"7", :gid=>"7", :info=>"lp", :dir=>"/var/spool/lpd", :shell=>"/usr/sbin/nologin"}
{:name=>"mail", :uid=>"8", :gid=>"8", :info=>"mail", :dir=>"/var/mail", :shell=>"/usr/sbin/nologin"}
{:name=>"news", :uid=>"9", :gid=>"9", :info=>"news", :dir=>"/var/spool/news", :shell=>"/usr/sbin/nologin"}
{:name=>"uucp", :uid=>"10", :gid=>"10", :info=>"uucp", :dir=>"/var/spool/uucp", :shell=>"/usr/sbin/nologin"}
{:name=>"proxy", :uid=>"13", :gid=>"13", :info=>"proxy", :dir=>"/bin", :shell=>"/usr/sbin/nologin"}
{:name=>"www-data", :uid=>"33", :gid=>"33", :info=>"www-data", :dir=>"/var/www", :shell=>"/usr/sbin/nologin"}
{:name=>"backup", :uid=>"34", :gid=>"34", :info=>"backup", :dir=>"/var/backups", :shell=>"/usr/sbin/nologin"}
{:name=>"list", :uid=>"38", :gid=>"38", :info=>"Mailing List Manager", :dir=>"/var/list", :shell=>"/usr/sbin/nologin"}
{:name=>"irc", :uid=>"39", :gid=>"39", :info=>"ircd", :dir=>"/var/run/ircd", :shell=>"/usr/sbin/nologin"}
{:name=>"gnats", :uid=>"41", :gid=>"41", :info=>"Gnats Bug-Reporting System (admin)", :dir=>"/var/lib/gnats", :shell=>"/usr/sbin/nologin"}
{:name=>"nobody", :uid=>"65534", :gid=>"65534", :info=>"nobody", :dir=>"/nonexistent", :shell=>"/usr/sbin/nologin"}
{:name=>"systemd-timesync", :uid=>"100", :gid=>"102", :info=>"systemd Time Synchronization,,,", :dir=>"/run/systemd", :shell=>"/bin/false"}
{:name=>"systemd-network", :uid=>"101", :gid=>"103", :info=>"systemd Network Management,,,", :dir=>"/run/systemd/netif", :shell=>"/bin/false"}
{:name=>"systemd-resolve", :uid=>"102", :gid=>"104", :info=>"systemd Resolver,,,", :dir=>"/run/systemd/resolve", :shell=>"/bin/false"}
{:name=>"systemd-bus-proxy", :uid=>"103", :gid=>"105", :info=>"systemd Bus Proxy,,,", :dir=>"/run/systemd", :shell=>"/bin/false"}
{:name=>"syslog", :uid=>"104", :gid=>"108", :info=>"", :dir=>"/home/syslog", :shell=>"/bin/false"}
{:name=>"_apt", :uid=>"105", :gid=>"65534", :info=>"", :dir=>"/nonexistent", :shell=>"/bin/false"}
{:name=>"lxd", :uid=>"106", :gid=>"65534", :info=>"", :dir=>"/var/lib/lxd/", :shell=>"/bin/false"}
{:name=>"messagebus", :uid=>"107", :gid=>"111", :info=>"", :dir=>"/var/run/dbus", :shell=>"/bin/false"}
{:name=>"uuidd", :uid=>"108", :gid=>"112", :info=>"", :dir=>"/run/uuidd", :shell=>"/bin/false"}
{:name=>"dnsmasq", :uid=>"109", :gid=>"65534", :info=>"dnsmasq,,,", :dir=>"/var/lib/misc", :shell=>"/bin/false"}
{:name=>"sshd", :uid=>"110", :gid=>"65534", :info=>"", :dir=>"/var/run/sshd", :shell=>"/usr/sbin/nologin"}
{:name=>"pollinate", :uid=>"111", :gid=>"1", :info=>"", :dir=>"/var/cache/pollinate", :shell=>"/bin/false"}
{:name=>"vagrant", :uid=>"1000", :gid=>"1000", :info=>",,,", :dir=>"/home/vagrant", :shell=>"/bin/bash"}
{:name=>"ubuntu", :uid=>"1001", :gid=>"1001", :info=>"Ubuntu", :dir=>"/home/ubuntu", :shell=>"/bin/bash"}
root@ubuntu-xenial:/# whoami
root
root@ubuntu-xenial:/# exit
meterpreter >

[wvu]

Release Notes

This adds a metashell (pseudoshell) focused on post-exploitation against Linux targets. Users can run the post/linux/manage/pseudo_shell module to enable this feature against a session.