Gopher gophermap Scanner - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/gopher/gopher_gophermap metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Gopher gophermap Scanner
Module: auxiliary/scanner/gopher/gopher_gophermap
Source code: modules/auxiliary/scanner/gopher/gopher_gophermap.rb
Disclosure date: -
Last modification time: 2017-10-20 09:44:07 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 70
List of CVEs: -
This module identifies Gopher servers, and processes the gophermap file which lists all the files on the server.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/gopher/gopher_gophermap
msf auxiliary(gopher_gophermap) > show options
... show and set options ...
msf auxiliary(gopher_gophermap) > set RHOSTS ip-range
msf auxiliary(gopher_gophermap) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(gopher_gophermap) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(gopher_gophermap) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(gopher_gophermap) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
Any gopher server will work. There seems to only be a few left in 2017.
A few options for local installation and testing are below.
Docker Install
A dockerized gopher server written in Go is available. To install and run this, with content being served out of a temporary directory in which you'll be left:
$ docker pull prodhe/gopher
Using default tag: latest
latest: Pulling from prodhe/gopher
627beaf3eaaf: Already exists
8800e3417eb1: Pull complete
d9f3bcdad0eb: Pull complete
c018073abd26: Pull complete
b2855f535c50: Pull complete
23480a2f73d8: Pull complete
1555a5435ec5: Pull complete
0728d289e0fc: Pull complete
6f6f265b58ee: Pull complete
Digest: sha256:69931d56946d192d9bd155a88b6f365cb276e9edf453129d374e64d244d1edaa
Status: Downloaded newer image for prodhe/gopher:latest
$ cd `mktemp -d`;
$ sudo docker run --rm -d -it --name gopher_test -v `pwd -P`:/public -p 70:70 prodhe/gopher
2017/10/20 16:45:01 Serving /public/ at localhost:70
$ date > test.txt
$ echo HELLO > README.md
NOTE: Don't forget to docker stop
the container ID returned from the docker run
command just run above:
$ docker stop X
X
Ubuntu 16.04 Install
First we need to install the server:
sudo apt-get install gopher-server
Next, we need to build content for the scanner to find. Gopher works off of a gophermap
, somewhat similar
to a content index page, where files are listed in a menu type system.
echo "
hello world
" | sudo tee /var/gopher/example.html
echo "foobarbaz" | sudo tee /var/gopher/foobar.txt
sudo mkdir /var/gopher/msf
echo "meterpreter rules" | sudo tee /var/gopher/msf/meterp.txt
sudo wget "https://pbs.twimg.com/profile_images/580131056629735424/2ENTk2K2.png" -O /var/gopher/msf/logo.png
echo -ne "gopher custom gophermap\n\nhHello World\t/example.html\t1.1.1.1\t70\n0Foo File\t/foobar.txt\t1.1.1.1\t70\n1msf\t/msf\t1.1.1.1\t70\nhmetasploit homepage\tURL:http://metasploit.com/\n" | sudo tee /var/gopher/gophermap
sudo chmod +r -R /var/gopher
In this case we create an html file, text file, a directory with a text file and png file in it. Enough content so its nice to look at.
Next we write our gophermap
file. The first line is just an intro. After that, we list our files that the client can access.
The format of these lines is: XSome text here[TAB]/path/to/content[TAB]example.org[TAB]port
. The first character, X
is the file type
which can be referenced in the table below. The final address (example.org) and PORT are optional.
The following table contains the file types associated with the characters:
Itemtype | Content |
---|---|
0 | Text file |
1 | Directory |
2 | CSO name server |
3 | Error |
4 | Mac HQX filer |
5 | PC binary |
6 | UNIX uuencoded file |
7 | Search server |
8 | Telnet Session |
9 | Binary File |
c | Calendar (not in 2.06) |
e | Event (not in 2.06) |
g | GIF image |
h | HTML, Hypertext Markup Language |
i | inline text type |
s | Sound |
I | Image (other than GIF) |
M | MIME multipart/mixed message |
T | TN3270 Session |
Verification Steps
- Install the application
- Start msfconsole
- Do:
use auxiliary/scanner/gopher/gopher_gophermap
- Do:
set rhosts [IPs]
- Do:
run
- You should see the gophermap file printed in a parsed format
Options
PATH
It is possible to view content within a directory of the gophermap. If the intial run shows directory Directory: foobar
,
setting path to /foobar
will enumerate the contents of that folder. Default: [empty string].
Scenarios
Docker Gopher Server
msf > use auxiliary/scanner/gopher/gopher_gophermap
msf auxiliary(gopher_gophermap) > set RHOSTS localhost
RHOSTS => localhost
msf auxiliary(gopher_gophermap) > run
[+] 127.0.0.1:70 - Text file: README.md
[+] 127.0.0.1:70 - Path: localhost:70/README.md
[+] 127.0.0.1:70 - Text file: test.txt
[+] 127.0.0.1:70 - Path: localhost:70/test.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Gopher-server on Ubuntu 16.04
msf > use auxiliary/scanner/gopher/gopher_gophermap
msf auxiliary(gopher_gophermap) > set rhosts 1.1.1.1
rhosts => 1.1.1.1
msf auxiliary(gopher_gophermap) > set verbose true
verbose => true
msf auxiliary(gopher_gophermap) > run
[+] 1.1.1.1:70 - gopher custom gophermap
[+] 1.1.1.1:70 -
[+] 1.1.1.1:70 - HTML: Hello World
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/example.html
[+] 1.1.1.1:70 - Text file: Foo File
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/foobar.txt
[+] 1.1.1.1:70 - Directory: msf
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/msf
[+] 1.1.1.1:70 - HTML: metasploit homepage
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/URL:http://metasploit.com/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the scanner/gopher/gopher_gophermap auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/gopher/gopher_gophermap
msf6 auxiliary(scanner/gopher/gopher_gophermap) > show info
Name: Gopher gophermap Scanner
Module: auxiliary/scanner/gopher/gopher_gophermap
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
h00die
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH no Path to enumerate
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 70 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
This module identifies Gopher servers, and processes the gophermap
file which lists all the files on the server.
References:
https://sdfeu.org/w/tutorials:gopher
Module Options
This is a complete list of options available in the scanner/gopher/gopher_gophermap auxiliary module:
msf6 auxiliary(scanner/gopher/gopher_gophermap) > show options
Module options (auxiliary/scanner/gopher/gopher_gophermap):
Name Current Setting Required Description
---- --------------- -------- -----------
PATH no Path to enumerate
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 70 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
Advanced Options
Here is a complete list of advanced options supported by the scanner/gopher/gopher_gophermap auxiliary module:
msf6 auxiliary(scanner/gopher/gopher_gophermap) > show advanced
Module advanced options (auxiliary/scanner/gopher/gopher_gophermap):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/gopher/gopher_gophermap module can do:
msf6 auxiliary(scanner/gopher/gopher_gophermap) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/gopher/gopher_gophermap auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/gopher/gopher_gophermap) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Error
Here is a relevant code snippet related to the "Error" error message:
33:
34: TYPE_MAP = {
35: '0' => 'Text file',
36: '1' => 'Directory',
37: '2' => 'CSO name server',
38: '3' => 'Error',
39: '4' => 'Mac HQX filer',
40: '5' => 'PC binary',
41: '6' => 'UNIX uuencoded file',
42: '7' => 'Search server',
43: '8' => 'Telnet Session',
No gophermap
Here is a relevant code snippet related to the "No gophermap" error message:
89:
90: end
91: end
92: report_service(host: ip, port: rport, service: 'gopher', info: gophermap)
93: else
94: print_error('No gophermap')
95: end
96: rescue ::Rex::ConnectionError, ::IOError, ::Errno::ECONNRESET
97: rescue ::Exception => e
98: print_error("#{ip}: #{e} #{e.backtrace}")
99: ensure
Go back to menu.
Related Pull Requests
References
See Also
Check also the following modules related to this module:
- auxiliary/admin/android/google_play_store_uxss_xframe_rce
- auxiliary/admin/http/wp_google_maps_sqli
- exploit/unix/webapp/wp_google_document_embedder_exec
- exploit/windows/smb/smb_rras_erraticgopher
Authors
h00die
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.