4

There is a website which I want to audit. That site must have a concrete Virtualhost configuration because if you access to it using the domain name the website is shown, but if you use the ip address the website is not shown.

If I launch an exploit using Metasploit against a site with this kind of configuration, it doesn't work. I think is because Metasploit is replacing the domain name by the resolved ip address and in that way the website is not responding as expected.

Example:

Take an apache serving a Wordpress site (htttp://example.com) with that kind of Virtualhost explained configuration. This site has the XMLRPC api enabled. If I use a tool like wpscan for example, you can put the url of the site (using --url htttp://example.com) and it works. But if I try to use the auxiliary/scanner/http/wordpress_xmlrpc_login Metasploit module, after setting the RHOSTS var with the domain name (set RHOSTS example.com) and launching the exploit, the module is answering:

[*] x.x.x.x:80     :/xmlrpc.php - Sending Hello...
[-] XMLRPC is not enabled! Aborting

In the response there is the ip address and not the domain name. So I guess is because as I explained, Metasploit is resolving and changing RHOSTS var with the ip address value and then the module is failing because of the web server Virtualhost configuration.

So the question is:

  • Is there a way (maybe a plugin I don't know) in Metasploit to avoid this transformation/replacing?
luizfzs
  • 261
  • 2
  • 12
OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48

1 Answers1

5

You are searching for the VHOST option. As you may know, when you rent some web hosting services, you may choose between a dedicated server and a shared one (which is much more cheaper)

  • On shared servers, you are sharing the same machine with random peoples. It means the websites hosted on a shared server will share the same IP address. That's why you need to write the virtual host option, it will specify which domain name you want to query on this IP address.

  • On dedicated servers, you can configure the machine the way you want. With or without virtual hosts.

You can determine virtual host presence with the host command on your Linux distribution:

┌──[13:33:43]─[root@attack3r]
└──> ~ $ >> host target-website.com
   target-website.com has address 49.49.49.49
┌─[13:34:21]─[root@attack3r]
└──> ~ $ >> host 49.49.49.49
   49.49.49.49.in-addr.arpa domain name pointer www.host-service-provider.com

In the example above, by resolving both the IP and target-website.com you can determine:

  • The target website point to 49.49.49.49

  • 49.49.49.49 point to the host service provider domain name

In this example, target-website.com is a virtual host on 49.49.49.49. Otherwise, the IP lookup should return target-website.com, not the service provider domain name.

Keep in mind that there are some exceptions, for example, try to do the same operation with security.stackexchange.com


Testing without VHOST

  • use auxiliary/scanner/http/wordpress_xmlrpc_login
  • set RHOSTS 49.49.49.49
  • set TARGETURI /wp/
  • set USERNAME root
  • set PASSWORD toor
  • run

Output

[*] 49.49.49.49:80    :/wp/xmlrpc.php - Sending Hello...
|R-chain|-<>-127.0.0.1:9050-<><>-49.49.49.49:80-<><>-OK
[-] XMLRPC is not enabled! Aborting
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Adding VHOST

  • set VHOST target-website.com
  • run

output

[*] 49.49.49.49:80    :/wp/xmlrpc.php - Sending Hello...
|R-chain|-<>-127.0.0.1:9050-<><>-49.49.49.49:80-<><>-OK
[+] 49.49.49.49:80   - XMLRPC enabled, Hello message received!
[*] Starting XML-RPC login sweep...
|R-chain|-<>-127.0.0.1:9050-<><>-49.49.49.49:80-<><>-OK
|R-chain|-<>-127.0.0.1:9050-<><>-49.49.49.49:80-<><>-OK
[-] 49.49.49.49:80   - Failed: 'root:toor'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

edit : Answering comments

yes it does:

vhost

Baptiste
  • 1,643
  • 10
  • 20