msfrpcd username and password

[n-quire]

I'm playing around with msfrpcd. I've seen a few references to it on various sites. I'd like to do a similar thing to this https://vimeo.com/29660886, where wpscan automatically runs an appropriate exploit.

Here's what he does in the video -

In one terminal run:

msfrpc -S -U wpscan -P wpscan -f -t web -u RPC2

In another terminal run :

wpscan --url http://www.my_test_site.com --enumerate p

I have 2 questions:

1. what is the username and password used for in msfrpcd? I seem to be able to enter any text in there. Is it so that I can connect to the session from somewhere else? Does wpscan somehow need to use the same username?

2. Has anyone got the example from the video to work? msfrpcd seems to be working; wpscan scans my site and enumerates all the plugins - but I don't get an Exploit option at the end of the process. The video is fairly old so maybe the functions have been depreciated since then.

[magik]

I have 2 questions:

1. what is the username and password used for in msfrpcd? I seem to be able to enter any text in there. Is it so that I can connect to the session from somewhere else? Does wpscan somehow need to use the same username?

2. Has anyone got the example from the video to work? msfrpcd seems to be working; wpscan scans my site and enumerates all the plugins - but I don't get an Exploit option at the end of the process. The video is fairly old so maybe the functions have been depreciated since then.

1. Accessing the msfrpcd daemon. Only supports one username/password, but would allow multiple logins.

2. Most likely did not detect anything exploitable. "Have not seen or tried the examples in the video".

[n-quire]

So, if the username and password is to access the daemon, does that mean I should be using my root login?

[digininja]

The credentials are so that you can control who is able to log in to your Metasploit service. I'd guess that Ryan hardcoded them in the version of WPScan that he showed in the demo, he may have opened it out so that you can enter them on the command line or they may still be hardcoded, check with the man page or help text.

As for why you aren't getting an offer of exploitation, is your version of WP vulnerable to anything? WPScan isn't magically able to exploit anything, there has to be a vulnerability there to exploit. If you want to test it then try installing the same version that Ryan uses in the video with the same plugins and you should be able to repeat it.

[digip]

#1

So, if the username and password is to access the daemon, does that mean I should be using my root login?

No, and I would suggest never using your root account unless using a LiveDISC or VM you don't care about having wacked. Kali and BackTrack by default run as root, with users knowing the risks, but you don't start MSF using your root creds in either case, and not needed to make things work for starting a listener on the desired port(if the daemon is started without SSL and you connect via another machine on the network using your root creds as the same for your session, they are going to be sent over the network in the clear). If you setup MSF on your own box, settings will most likely be different and you'll also be starting processes with sudo to get the daemon running, depending on how you setup your OS, but yoru OS creds and RPC creds are not the same thing.

Also, it's "msfrpcd" not msfrpc(msfrpc is another resource file). You can compare the source code of each to get an idea what it is you are looking at though:

https://github.com/rapid7/metasploit-framework/blob/master/msfrpc

https://github.com/rapid7/metasploit-framework/blob/master/msfrpcd

Command switches you showed above:

-S - Disable SSL on the RPC socket

-U - Specify the username to access msfrpcd

-P - Specify the password to access msfrpcd

-f - Run the daemon in the foreground

-t - Authentication method, ie: Web, Basic (tells if web based form, or pop up htpasswd type window) but I don't think is part of the current release

-u - URI for Web server

Take a look at the defaults, which the switches above will override:

38 opts = {

39 'RunInForeground' => true,

40 'SSL' => true,

41 'ServerHost' => '0.0.0.0',

42 'ServerPort' => 55553,

43 'ServerType' => 'Msg'

44 }

0.0.0.0 means the OS is listening on 55553, so any connection to 127.0.0.1 on 55553 would show whatever the listening socket responds with, if anything. Try opening your browser to

http://wpscan:wpscan@127.0.0.1:55553/RPC2

after starting the daemon though, you might see something like a listening socket message or just a blank screen, then look at your console to see what message it received from the browser, and you'll know its up if it shows something connecting though. Your browser should force the console to show a connection(I would think).

#2 was answered above - 2. Most likely did not detect anything exploitable.

Try purposely installing a known vulnerable plug-in that wpscan also knows to look for, and then test again. You can run wpscan by itself just to check for vulns, so if none found, then msf has nothing it can do at this point and won't do anything. However, there are attacks you can try against wordpress via MSF directly, but you need to load the attack and then try it against the server running wordpress.

ex: http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=wordpress&filter_exploit_text=&filter_author=metasploit&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

Edited March 15, 2015 by digip

[n-quire]

Thanks for the feedback. You guys are helpful as always.

It turns out wpscan didn't pickup my vulnerable plugin because it couldn't detect the version (I should have read the screen properly).

Manually running the exploit worked fine.

[digininja]

#1

No, and I would suggest never using your root account unless using a LiveDISC or VM you don't care about having wacked.

Interestingly I had a chat with one of the Metasploit team a while ago show said they expected Metasploit to be ran as root due to the number of things that needed to start TCP listeners on privileged ports.

[digininja]

And another chat, this time with Ryan who writes WPScan, the integration with Metasploit never made it into a full relese, the WPScan team decided against it.

Basically, give up trying to recreate the demo, you can't.

[digip]

Interestingly I had a chat with one of the Metasploit team a while ago show said they expected Metasploit to be ran as root due to the number of things that needed to start TCP listeners on privileged ports.

I didn't say not to run a process as a root user. You can "sudo someprocess" sure (or if you like, run as root), but I was talking about his RPC process using the same creds for the listener, since that's what the msfrpcd is creating a session and creditials to that socket for, no? If you start armitage, using the gui, by default it does not use the same creds as a root user to start the msfconsole and rpc services(at least I don't think that's how it works, but I could be wrong, maybe there is a user called msf in backtrack and kali).

Take a look at Armitage screenshots for example. I think msf and test are the default creds from a metasploit install but maybe that's just how Kali is setup - http://www.fastandeasyhacking.com/start

They start the listener with those creds, so if you're on another machine and want to connect to the same session, or share an armitage session you would need to pass the rpc creds to it(I think..). If using the above example to start the session without SSL to transmit the data, it would be sent in the clear over the network when you authenticate to the listening socket, and if the same creds are for your system login, then you just gave them away at the same time.

[digininja]

Got you and agree, don't reuse your root creds anywhere. (Unless they are still root/toor in which case you've got bigger problems)

[n-quire]

Don't worry. I never leave my creds as the default. I've changed them to admin/password.

[cooper]

I like that combo myself.

Reverse psychology. They wouldn't think I was that dumb, so they don't test for it.