Gopher gophermap Scanner - Metasploit

This page contains detailed information about how to use the auxiliary/scanner/gopher/gopher_gophermap metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

Name: Gopher gophermap Scanner
Module: auxiliary/scanner/gopher/gopher_gophermap
Source code: modules/auxiliary/scanner/gopher/gopher_gophermap.rb
Disclosure date: -
Last modification time: 2017-10-20 09:44:07 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 70
List of CVEs: -

This module identifies Gopher servers, and processes the gophermap file which lists all the files on the server.

Module Ranking and Traits

Module Ranking:

normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/gopher/gopher_gophermap
msf auxiliary(gopher_gophermap) > show options
    ... show and set options ...
msf auxiliary(gopher_gophermap) > set RHOSTS ip-range
msf auxiliary(gopher_gophermap) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(gopher_gophermap) > set RHOSTS 192.168.1.3-192.168.1.200

Example 2:

msf auxiliary(gopher_gophermap) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(gopher_gophermap) > set RHOSTS file:/tmp/ip_list.txt

Required Options

RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base

Vulnerable Application

Any gopher server will work. There seems to only be a few left in 2017.

A few options for local installation and testing are below.

Docker Install

A dockerized gopher server written in Go is available. To install and run this, with content being served out of a temporary directory in which you'll be left:

$  docker pull prodhe/gopher
Using default tag: latest
latest: Pulling from prodhe/gopher
627beaf3eaaf: Already exists
8800e3417eb1: Pull complete
d9f3bcdad0eb: Pull complete
c018073abd26: Pull complete
b2855f535c50: Pull complete
23480a2f73d8: Pull complete
1555a5435ec5: Pull complete
0728d289e0fc: Pull complete
6f6f265b58ee: Pull complete
Digest: sha256:69931d56946d192d9bd155a88b6f365cb276e9edf453129d374e64d244d1edaa
Status: Downloaded newer image for prodhe/gopher:latest
$  cd `mktemp -d`;
$  sudo docker run --rm -d -it --name gopher_test -v `pwd -P`:/public  -p 70:70  prodhe/gopher
2017/10/20 16:45:01 Serving /public/ at localhost:70
$ date > test.txt
$ echo HELLO > README.md

NOTE: Don't forget to docker stop the container ID returned from the docker run command just run above: $ docker stop X X

Ubuntu 16.04 Install

First we need to install the server:

sudo apt-get install gopher-server

Next, we need to build content for the scanner to find. Gopher works off of a gophermap, somewhat similar to a content index page, where files are listed in a menu type system.

echo "
hello world" | sudo tee /var/gopher/example.html
echo "foobarbaz" | sudo tee /var/gopher/foobar.txt
sudo mkdir /var/gopher/msf
echo "meterpreter rules" | sudo tee /var/gopher/msf/meterp.txt
sudo wget "https://pbs.twimg.com/profile_images/580131056629735424/2ENTk2K2.png" -O /var/gopher/msf/logo.png

echo -ne "gopher custom gophermap\n\nhHello World\t/example.html\t1.1.1.1\t70\n0Foo File\t/foobar.txt\t1.1.1.1\t70\n1msf\t/msf\t1.1.1.1\t70\nhmetasploit homepage\tURL:http://metasploit.com/\n" | sudo tee /var/gopher/gophermap
sudo chmod +r -R /var/gopher

In this case we create an html file, text file, a directory with a text file and png file in it. Enough content so its nice to look at. Next we write our gophermap file. The first line is just an intro. After that, we list our files that the client can access.

The format of these lines is: XSome text here[TAB]/path/to/content[TAB]example.org[TAB]port. The first character, X is the file type which can be referenced in the table below. The final address (example.org) and PORT are optional.

The following table contains the file types associated with the characters:

Itemtype	Content
0	Text file
1	Directory
2	CSO name server
3	Error
4	Mac HQX filer
5	PC binary
6	UNIX uuencoded file
7	Search server
8	Telnet Session
9	Binary File
c	Calendar (not in 2.06)
e	Event (not in 2.06)
g	GIF image
h	HTML, Hypertext Markup Language
i	inline text type
s	Sound
I	Image (other than GIF)
M	MIME multipart/mixed message
T	TN3270 Session

Verification Steps

Install the application
Start msfconsole
Do: use auxiliary/scanner/gopher/gopher_gophermap
Do: set rhosts [IPs]
Do: run
You should see the gophermap file printed in a parsed format

Options

PATH

It is possible to view content within a directory of the gophermap. If the intial run shows directory Directory: foobar, setting path to /foobar will enumerate the contents of that folder. Default: [empty string].

Scenarios

Docker Gopher Server

msf > use auxiliary/scanner/gopher/gopher_gophermap
msf auxiliary(gopher_gophermap) > set RHOSTS localhost
RHOSTS => localhost
msf auxiliary(gopher_gophermap) > run

[+] 127.0.0.1:70          -   Text file: README.md
[+] 127.0.0.1:70          -     Path: localhost:70/README.md
[+] 127.0.0.1:70          -   Text file: test.txt
[+] 127.0.0.1:70          -     Path: localhost:70/test.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Gopher-server on Ubuntu 16.04

msf > use auxiliary/scanner/gopher/gopher_gophermap
msf auxiliary(gopher_gophermap) > set rhosts 1.1.1.1
rhosts => 1.1.1.1
msf auxiliary(gopher_gophermap) > set verbose true
verbose => true
msf auxiliary(gopher_gophermap) > run

[+] 1.1.1.1:70      - gopher custom gophermap
[+] 1.1.1.1:70      -
[+] 1.1.1.1:70      -   HTML: Hello World
[+] 1.1.1.1:70      -     Path: 1.1.1.1:70/example.html
[+] 1.1.1.1:70      -   Text file: Foo File
[+] 1.1.1.1:70      -     Path: 1.1.1.1:70/foobar.txt
[+] 1.1.1.1:70      -   Directory: msf
[+] 1.1.1.1:70      -     Path: 1.1.1.1:70/msf
[+] 1.1.1.1:70      -   HTML: metasploit homepage
[+] 1.1.1.1:70      -     Path: 1.1.1.1:70/URL:http://metasploit.com/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Go back to menu.

Msfconsole Usage

Here is how the scanner/gopher/gopher_gophermap auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/gopher/gopher_gophermap

msf6 auxiliary(scanner/gopher/gopher_gophermap) > show info

       Name: Gopher gophermap Scanner
     Module: auxiliary/scanner/gopher/gopher_gophermap
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  h00die

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  PATH                      no        Path to enumerate
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    70               yes       The target port (TCP)
  THREADS  1                yes       The number of concurrent threads (max one per host)

Description:
  This module identifies Gopher servers, and processes the gophermap 
  file which lists all the files on the server.

References:
  https://sdfeu.org/w/tutorials:gopher

Module Options

This is a complete list of options available in the scanner/gopher/gopher_gophermap auxiliary module:

msf6 auxiliary(scanner/gopher/gopher_gophermap) > show options

Module options (auxiliary/scanner/gopher/gopher_gophermap):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH                      no        Path to enumerate
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    70               yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads (max one per host)

Advanced Options

Here is a complete list of advanced options supported by the scanner/gopher/gopher_gophermap auxiliary module:

msf6 auxiliary(scanner/gopher/gopher_gophermap) > show advanced

Module advanced options (auxiliary/scanner/gopher/gopher_gophermap):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   CHOST                                 no        The local client address
   CPORT                                 no        The local client port
   ConnectTimeout       10               yes       Maximum number of seconds to establish a TCP connection
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   SSL                  false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                             no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode        PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion           Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   ShowProgress         true             yes       Display progress messages during a scan
   ShowProgressPercent  10               yes       The interval in percent that progress should be shown
   VERBOSE              false            no        Enable detailed status messages
   WORKSPACE                             no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the scanner/gopher/gopher_gophermap module can do:

msf6 auxiliary(scanner/gopher/gopher_gophermap) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the scanner/gopher/gopher_gophermap auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/gopher/gopher_gophermap) > show evasion

Module evasion options:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   TCP::max_send_size  0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay     0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Error
No gophermap

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Error

Here is a relevant code snippet related to the "Error" error message:

33:	
34:	  TYPE_MAP = {
35:	    '0' => 'Text file',
36:	    '1' => 'Directory',
37:	    '2' => 'CSO name server',
38:	    '3' => 'Error',
39:	    '4' => 'Mac HQX filer',
40:	    '5' => 'PC binary',
41:	    '6' => 'UNIX uuencoded file',
42:	    '7' => 'Search server',
43:	    '8' => 'Telnet Session',

No gophermap

Here is a relevant code snippet related to the "No gophermap" error message:

89:	
90:	          end
91:	        end
92:	        report_service(host: ip, port: rport, service: 'gopher', info: gophermap)
93:	      else
94:	        print_error('No gophermap')
95:	      end
96:	    rescue ::Rex::ConnectionError, ::IOError, ::Errno::ECONNRESET
97:	    rescue ::Exception => e
98:	      print_error("#{ip}: #{e} #{e.backtrace}")
99:	    ensure

Go back to menu.