Metasploit-framework: Reducing modules number
Hey @all
One of the noticeable things in metasploit that there are tons of modules for many things of the same kind of goal. This may keep things clear, but makes metasploit heavier to load and bigger site. If we can find all modules -especially auxiliary - modules that can be merged and use Action command to change its functionality, it would be more practical.
Expected behavior
use auxiliary/scanner/portscan
set RHOST x.x.x.x-y
set ACTION syn
run
Action could be
syn, tcp, xmas, xmas, ftpbounce, ack, all
So we can change the action without loading another module and even avoid using setg if I needed for another target
What should happen?
Merge all modules that're similar, and here a list of it,
auxiliary/scanner/portscan/ack
auxiliary/scanner/portscan/ftpbounce
auxiliary/scanner/portscan/syn
auxiliary/scanner/portscan/tcp
auxiliary/scanner/portscan/xmas
auxiliary/scanner/smb/smb2
auxiliary/scanner/smb/smb_enum_gp
auxiliary/scanner/smb/smb_login
auxiliary/scanner/ssl/openssl_ccs
auxiliary/scanner/ssl/openssl_heartbleed
auxiliary/gather/ibm_sametime_enumerate_users
auxiliary/gather/ibm_sametime_room_brute
auxiliary/gather/ibm_sametime_version
auxiliary/scanner/http/wordpress_multicall_creds {replaces wordpress_xmlrpc_login}
auxiliary/scanner/http/wordpress_xmlrpc_login
auxiliary/scanner/http/wordpress_scanner {to be wordpress, joomla, dropal, etc}
auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess
auxiliary/scanner/http/novell_file_reporter_srs_fileaccess
auxiliary/sqli/oracle/dbms_cdc_ipublish
auxiliary/sqli/oracle/dbms_cdc_publish
auxiliary/sqli/oracle/dbms_cdc_publish2
auxiliary/sqli/oracle/dbms_cdc_publish3
auxiliary/admin/mssql/mssql_enum
auxiliary/admin/mssql/mssql_enum_domain_accounts
auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli
auxiliary/admin/mssql/mssql_enum_sql_logins
auxiliary/admin/mssql/mssql_escalate_dbowner
auxiliary/admin/mssql/mssql_escalate_dbowner_sqli
auxiliary/admin/mssql/mssql_escalate_execute_as
auxiliary/admin/mssql/mssql_escalate_execute_as_sqli
auxiliary/admin/oracle/osb_execqr
auxiliary/admin/oracle/osb_execqr2
auxiliary/admin/oracle/osb_execqr3
auxiliary/scanner/http/dlink_dir_300_615_http_login
auxiliary/scanner/http/dlink_dir_615h_http_login
auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal
auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal
auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal
auxiliary/scanner/http/hp_imc_reportimgservlt_traversal
auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess
auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration
auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess
auxiliary/scanner/http/jenkins_enum
auxiliary/scanner/http/jenkins_login
auxiliary/scanner/http/ssl
auxiliary/scanner/http/ssl_version
scanner/mssql/mssql_hashdump
scanner/mssql/mssql_login
scanner/mssql/mssql_ping
scanner/mssql/mssql_schemadump
scanner/mysql/mysql_authbypass_hashdump
scanner/mysql/mysql_file_enum
scanner/mysql/mysql_hashdump
scanner/mysql/mysql_login
scanner/mysql/mysql_schemadump
scanner/mysql/mysql_version
scanner/mysql/mysql_writable_dirs
scanner/oracle/sid_brute
scanner/oracle/sid_enum
scanner/oracle/tnslsnr_version
scanner/oracle/tnspoison_checker
exploit/multi/http/tomcat_mgr_deploy
exploit/multi/http/tomcat_mgr_upload
exploit/multi/misc/wireshark_lwres_getaddrbyname
exploit/multi/misc/wireshark_lwres_getaddrbyname_loop
Current behavior
use auxiliary/scanner/portscan/ack
set RHOST x.x.x.x-y
run
use auxiliary/scanner/portscan/ftpbounce
set RHOST x.x.x.x-y
run
use auxiliary/scanner/portscan/syn
set RHOST x.x.x.x-y
run
use auxiliary/scanner/portscan/tcp
set RHOST x.x.x.x-y
run
use auxiliary/scanner/portscan/xmas
set RHOST x.x.x.x-y
run
System stuff
Metasploit version
msf > version
Framework: 4.12.41-dev-265567fa1955dd99c663eb2dc731a72068bd9680
Console : 4.12.41-dev-265567fa1955dd99c663eb2dc731a72068bd9680
I installed Metasploit with:
- [ ] Kali package via apt
- [x] Omnibus installer (nightly)
- [ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
- [ ] Source install (please specify ruby version)
OS
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial
Thank
KINGSABRI
All 11 comments
Not sure if this would have an effect on msf Pro and therefore need to be coordinated/handled on that side of the house. Maybe someone with r7 could chime in.
@wvu-r7 is on a WELL deserved vacation, so hopefully someone else.
h00die
on 8 Nov 2016
Would almost certainly have an effect on Pro, specifically how Pro runs modules as part of its automated scans/attacks.
It would also require massive module deprecations on the Framework side, having a significant effect on what modules users have been running.
That said, I'm all for using actions in aux modules and targets in exploits, as we discussed on IRC for #7017. :)
wvu-r7
on 8 Nov 2016
(I'm assuming this stemmed from #7017, where I suggested using actions for your module. This seems like the logical conclusion to that discussion...)
wvu-r7
on 8 Nov 2016
Maybe a staged approach with the more popular modules (TCP scan) last. That way theres the most impact and the least amount of possible issues
h00die
on 8 Nov 2016
Arguably, some modules shouldn't be combined, too. If different vulns are being exploited, they should be in different modules.
wvu-r7
on 8 Nov 2016
I also feel you'd hit a point of diminishing returns pretty fast, too, since there will ALWAYS be new modules.
wvu-r7
on 8 Nov 2016
And modules that are too large are a PITA to maintain, too. Lots of cons, lots of pros. It wouldn't be the first time it's come up.
wvu-r7
on 8 Nov 2016
@wvu-r7 Also the fact that a lot of automation scripts need to be updated as well (I certainly use a lot of smb aux stuff scripts for enum). Not that I am disagreeing with @KINGSABRI . Some modules are definitely worth combining for.
void-in
on 8 Nov 2016
@wvu-r7 That's right, one of the main idea triggers is our discussion at #7017 another old one was
auxiliary/scanner/smb/pipe_auditor
auxiliary/scanner/smb/pipe_dcerpc_auditor
The fact that there are always new modules is not conflicting with the main goal, if there is an existing module that can have the new idea then it can be merged, otherwise create a new/separate module.
Till now, I can see that there are some concerns could be summaries into:
- Metasploit Pro Automated scanner
- Existing community scripts
KINGSABRI
on 8 Nov 2016
Some of these seem like good ideas, the portscan ones for example make lots of sense, but the SMB ones don't as a counter example. Those modules are doing rather dramatically different things. There are definitely some places where some of these could be combined but we should be very careful how we do it. Modules should be performing discrete actions, and not big multi-tools in of themselves. Some of these examples also look like deprecations are in order because better modules have come along and replaced them (looking at the wordpress group for example)
thelightcosine
on 11 Nov 2016
@dmaloney-r7 Thanks for commenting, I totally agree with you, so let's put some criteria for those modules that can be merged, like
- Deprecated modules, that have exist better replacement
- Modules that have similar/mergable actions for the same target/system/service/application
- [ADD CRITERIA HERE]
KINGSABRI
on 12 Nov 2016
Related issues
handsomebeast
路
3Comments
jecoliho
路
3Comments
idetest41
路
3Comments
notdodo
路
3Comments
felipee07
路
3Comments
Most helpful comment
Some of these seem like good ideas, the portscan ones for example make lots of sense, but the SMB ones don't as a counter example. Those modules are doing rather dramatically different things. There are definitely some places where some of these could be combined but we should be very careful how we do it. Modules should be performing discrete actions, and not big multi-tools in of themselves. Some of these examples also look like deprecations are in order because better modules have come along and replaced them (looking at the wordpress group for example)