Service to Shell

Posts

Making a Custom Metasploit Module - Making a Metasploit module to exploit DNSSearcher
Writing a Custom Nmap Scan - Writing an nmap match and banner probe to scan dnssearcher
Making a Vulnerable Webapp - Make a simple webapp vulnerable to command injection to exploit later

This post series outlines making a new vulnerable service, writing an nmap match to detect it and extract CPEs, and writing a Metasploit module to exploit it.

Check out the code at github.com/cnnrshd/service-to-shell!

Summary

This was a fun project. I enjoyed most of the process, the worst part was trying to troubleshoot some of the Metasploit issues I was having (especially using echo as a a cmdstager).

I made:

DNSSearcher, a vulnerable FastAPI service, then used FastAPI’s data validation to prevent command injection on an endpoint.
An extremely minimal nmap-service-probe file that runs 100x faster and only detects DNSSearcher
A Metasploit module that auto-checks the exploit and works with multiple payloads and stagers

Artifacts

So far, there are no greater contributions to the Cyber Security community as a result of this project. I do have some tooling that I talked about at the end of Making a Custom Metasploit Module that might be fun:

Some utilities (in the style of sysmon_utils) for working with nmap probe files, testing banners, etc.
A toy scanner, probably in Go, that is compatible with nmap service probes. This might be a good way to learn the language.

Reflection

This was a great project for understanding how Nmap and Metasploit work beyond the kind of experience you’d get just by using these tools. Making the small web service (DNSSearcher) was fun, and I think I’ll use the FastAPI library more.

I would highly recommend anyone who uses tools to try to play with them - write your own logic, try to write a module, it really helps.