This Metasploit module identifies NTP servers which permit mode 6 UNSETTRAP requests that can be used to conduct DRDoS attacks. In some configurations, NTP servers will respond to UNSETTRAP requests with multiple packets, allowing remote attackers to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic amplification) via spoofed requests.
31621f3b6adf84cb730b81f9bedd0d5ea28c3b18ec44bdae7f848cc723eb9ddb
This Metasploit module identifies NTP servers which permit "monlist" queries and obtains the recent clients list. The monlist feature allows remote attackers to cause a denial of service (traffic amplification) via spoofed requests. The more clients there are in the list, the greater the amplification.
a5bd2be6d6639dad2ac8a8c5aadde7826dba8b96423872299961fe6135ef827c
This Metasploit module identifies NTP servers which permit "PEER_LIST_SUM" queries and return responses that are larger in size or greater in quantity than the request, allowing remote attackers to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic amplification) via spoofed requests.
273e8598ce4a789ce6d57d34e58ef98d7869ba325e655e50c1718bbe3ecde008
This Metasploit module reads the system internal NTP variables. These variables contain potentially sensitive information, such as the NTP software version, operating system version, peers, and more.
e16cfa3e8bfd6d9000e68d4cbf6b3255490ec60c03ecb58123181f76af392248
This Metasploit module identifies NTP servers which permit mode 6 REQ_NONCE requests that can be used to conduct DRDoS attacks. In some configurations, NTP servers will respond to REQ_NONCE requests with a response larger than the request, allowing remote attackers to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic amplification) via spoofed requests.
7c04588bd861a077918678e95f126ec5037b6e8df43ffb7afd4db2bd791c1733
Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated ephemeral symmetric peers by bypassing the authentication required to mobilize peer associations. This Metasploit module sends these Crypto-NAK packets in order to establish an association between the target ntpd instance and the attacking client. The end goal is to cause ntpd to declare the legitimate peers "false tickers" and choose the attacking clients as the preferred peers, allowing these peers to control time.
6e2bb149f0c9a147fad33b95c5cfbcc5e8373753ed367acdeb9fa2b34bc84d4a
This Metasploit module checks for the OpenSSL ChangeCipherSpec (CCS) Injection vulnerability. The problem exists in the handling of early CCS messages during session negotiation. Vulnerable installations of OpenSSL accepts them, while later implementations do not. If successful, an attacker can leverage this vulnerability to perform a man-in-the-middle (MITM) attack by downgrading the cipher spec between a client and server. This issue was first reported in early June, 2014.
50d2ae16c07b123362ddd9c4123d103a1aaf098f3776f32cfd170977a46bd234
This Metasploit module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that are vulnerable to command-line flag injection through CVE-2013-1899. This can lead to denial of service, privilege escalation, or even arbitrary code execution.
85635e053df5e304bbf5196ce9efa74067c05cc8dd4eb7e8f6f3808c60813a49
This Metasploit module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce list of passwords.
8e3762c08b09fcbd9c54cc1f7bc026ff226ffde59424745f6b3b8190cd4dfb6c
This Metasploit module attempts to read the first line of a file by abusing the error message when compiling a file with vcl.load.
686a425c40952290c7d61f15e0ffd8773aab2cc417d5a6790a52366d7dd49413
Chargen is a debugging and measurement tool and a character generator service. A character generator service simply sends data without regard to the input. Chargen is susceptible to spoofing the source of transmissions as well as use in a reflection attack vector. The misuse of the testing features of the Chargen service may allow attackers to craft malicious network payloads and reflect them by spoofing the transmission source to effectively direct it to a target. This can result in traffic loops and service degradation with large amounts of network traffic.
52953bf9fe3f79cb5c689f464333697b3fc90f8deb33819929445f342870c0ae
This Metasploit module will test a range of Brocade network devices for a privileged logins and report successes. The device authentication mode must be set as aaa authentication enable default local. Telnet authentication, e.g. enable telnet authentication, should not be enabled in the device configuration. This Metasploit module has been tested against the following devices: ICX6450-24 SWver 07.4.00bT311, FastIron WS 624 SWver 07.2.02fT7e1.
ba6b7cde5c851324e0b62a255e70f86705bd185a26c3b4c57efe862f59094ea7
Detect telnet services vulnerable to the encrypt option Key ID overflow (BSD-derived telnetd).
801a2a0bc2125f7e99eba56579ca138bcbadf4fa4fc437391f1bcb094a53e493
This Metasploit module exploits an OS Command Injection vulnerability in Satel Iberia SenNet Data Loggers and Electricity Meters to perform arbitrary command execution as root.
5df4a9c4167f240a3d070d03d8d0e146532998c8387bae034befc386cfb709d1
This Metasploit module retrieves the setup record from Lantronix serial-to-ethernet devices via the config port (30718/udp, enabled by default) and extracts the telnet password. It has been tested successfully on a Lantronix Device Server with software version V5.8.0.1.
774029efa2fb513cbd66b5dcfba4523e04a8ee3ca0b2443ec30d09c92aba2529
This Metasploit module will calculate the password for the hard-coded hidden username "factory" in the RuggedCom Rugged Operating System (ROS). The password is dynamically generated based on the devices MAC address.
c2e2eaffaaf6dfc37d651baafa2013471ebe68045fd115839cdbf477361fe5de
Unitronics Vision PLCs allow unauthenticated PCOM commands to query PLC registers.
ad74cc35159b954896186d7e62a20c07e6ac64466c1320992f5f71422d481909
This Metasploit module exploits a directory traversal in Sielco Sistemi Winlog. The vulnerability exists in the Runtime.exe service and can be triggered by sending a specially crafted packet to the 46824/TCP port. This Metasploit module has been successfully tested on Sielco Sistemi Winlog Lite 2.07.14.
b86031eb554a91e334141d55bf93e4dd76814f3ae6c789b063d6cd6424f4986a
The Moxa protocol listens on 4800/UDP and will respond to broadcast or direct traffic. The service is known to be used on Moxa devices in the NPort, OnCell, and MGate product lines. A discovery packet compels a Moxa device to respond to the sender with some basic device information that is needed for more advanced functions. The discovery data is 8 bytes in length and is the most basic example of the Moxa protocol. It may be sent out as a broadcast (destination 255.255.255.255) or to an individual device. Devices that respond to this query may be vulnerable to serious information disclosure vulnerabilities, such as CVE-2016-9361. The module is the work of Patrick DeSantis of Cisco Talos and is derived from original work by K. Reid Wightman. Tested and validated on a Moxa NPort 6250 with firmware versions 1.13 and 1.15.
98b6bc9ac986f9cabba0156932ffefd60159a96b8107e1d9b3448bedd300ff36
This Metasploit module exploits a directory traversal vulnerability in Indusoft WebStudio. The vulnerability exists in the NTWebServer component and allows to read arbitrary remote files with the privileges of the NTWebServer process. The module has been tested successfully on Indusoft WebStudio 6.1 SP6.
d242b8007726d97afc7ca45d4fdc57dd3eea44c1e53c5a4a3eff01999ce2fbaa
This Metasploit module attempts to authenticate to a locked Koyo DirectLogic PLC. The PLC uses a restrictive passcode, which can be A0000000 through A9999999. The "A" prefix can also be changed by the administrator to any other character, which can be set through the PREFIX option of this module. This Metasploit module is based on the original koyobrute.rb Basecamp module from DigitalBond.
aec78b92195bf4c9c28e103cf974f233901b700547dfefd61da7b7042b020860
This Metasploit module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability.
6a4a44bfa015ee1e424da3c229e217a013236f2eec5a985ec1f2d2bbef888f5f
This Metasploit module checks a range of hosts for the MS12-020 vulnerability. This does not cause a DoS on the target.
8af29fc18715a26cabbd8050a6eb7d7d09d6e5b2f6a5c4dbb175fc6d6bd10023
This Metasploit module retrieves the client unattend file from Windows Deployment Services RPC service and parses out the stored credentials. Tested against Windows 2008 R2 x64 and Windows 2003 x86.
0c3608ed8e91cd81229126b5a544cf3c0daccefc7901b1b5255f67bbdbafd3f7
This Metasploit module can be used to discover Memcached servers which expose the unrestricted UDP port 11211. A basic "stats" request is executed to check if an amplification attack is possible against a third party.
cb5539054159e5bd7eb5991e8ba1abaed61e1b1644670a36b4815d24c61a9cab