Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I want to contribute code to the Metasploit Framework but I haven't got to know their formatting guidelines and code requirements. What are the contribution guidelines to get started to write your own Metasploit modules?
If you follow this link:
How to get started with writing an auxiliary module
You'll find not only a helpful reference for setting up a metasploit module, but also an entire wiki with (at time of writing) 106 pages on metasploit development and use.
Now, I say reference and not tutorial because making metasploit modules 10% boilerplate code that you need to look up and 90% good-old-ruby that has nothing to do with metasploit.
Take, for example, this simple template module:
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Module name',
'Description' => %q{
Say something that the user might want to know.
},
'Author' => [ 'Name' ],
'License' => MSF_LICENSE
))
end
def run
# use `print_status` to print to the metasploit console, instead of `puts`
end
end
Walking through it line by line:
require 'msf/core'
First we require the metasploit files so we can use them.
class MetasploitModule < Msf::Auxiliary
Then we define a new class which inherits from the metasploit auxiliary class.
include Msf::Auxiliary::Scanner
Here we include the metasploit scanner so we can use it in our code. You can include any of metasploit's modules here to use them within your own module; however, you likely won't find tutorials for the modules. You're expected to read the documentation to learn how to use them.
def initialize(info = {})
super(update_info(info,
'Name' => 'Module name',
'Description' => %q{
Say something that the user might want to know.
},
'Author' => [ 'Name' ],
'License' => MSF_LICENSE
))
end
This initialize method is basically boilerplate code that tells metasploit information about your module so it can display said information to users inside the metasploit console.
def run
# use `print_status` to print to the metasploit console, instead of `puts`
end
This is where your code goes! This is also where metasploit ends and good-old-ruby begins. If you're making an HTTP server to echo a malicious payload, use an http server gem and write your logic. You can use metasploit modules here, but you use them (and learn how to use them) the same way you would any other ruby gem or library: look up the documentation and the API reference.
end
And that's it! Ultimately, you're discovering what makes IT security such a difficult field. There aren't any tutorials that can teach you how to hack or frameworks that can help you create exploits. Metasploit is more of a tool for curating collections of exploits, and writing your own module is just "plugging" your exploit into metasploit so other people can easily use it. The exploit itself is simply some ruby code, made to do something clever using basic network libraries.
Creating a completely new and useful hacking tool would be a big deal that some paid security professionals only dream of achieving. I suggest you pick a hacking tool which already exists (password cracker, network scanner, web crawler, etc), research that tool's purpose and functions, get well-acquainted with using it, and work on creating your own version of one. Then, once you've got it doing what you want, take your code and wrap it in a metasploit template so it can be accessed from metasploit.
If you get stuck along the way, you can come back to StackOverflow with more specific questions (eg "How can I scan for open ports on an IP?" or "How do I access options inside a metasploit module?") and we'll be happy to help you with those!
Cheers and good luck!
Related
Summarize the problem:
Being relatively new to Ruby/Gems and developing in general, some concepts evade me
I'm learning about the google-api-client Gem, and am attempting to understand the Basic Usage, and want to know how a developer knows which class to use, when instantiating an ojbect, during the "aliasing of the module" portion:
To use an API, include the corresponding generated file and instantiate the service. For example to use the Drive API:
require 'google/apis/drive_v2'
Drive = Google::Apis::DriveV2 # Alias the module
drive = Drive::DriveService.new # why is ::DriveService used here?
#etc
Describe what I've tried:
I've searched through the reference documentation for the google-api-client for a clue about the "decision" to instantiate drive with ::DriveService.new
The best reason I've come up with is: DriveService is instantiated because it is the "BaseService" of the "DriveV2" Class.... but I'm reaching for straws with this logic.
My specific question is:
How does a developer using APIs and this Google-API-client Gem know which object to instantiate?
I have to imagine there's a more elegant "way" to determine which object to instantiate at this point of accessing an API than digging through the documentation of the Gem....I mean...the "BaseService" information is coming from the documentation for this specific Gem.....
Maybe this is a matter of me losing "scope" per say by the Google API and the ambiguously named Gem maintained by Google...
But then again...if I'm using this Gem...then this documentation would always apply, because I wouldn't be able to use this Gem if it wasn't a Google-API....
from the documentation
The link above is the necessary detail regarding Authorization for an API key.
If you're like me, and this subject is new to you, there are three topics that you need to understand:
Authentication
Authorization
Accounting
The documentation for the google-api-client gem is robust enough to answer a lot of questions, however, my answer here is hopefully enough to get you pointed in the right direction.
I'm leaving the question up, in case anyone else needs some guidance regarding this same subject.
I'm just trying to understand how to use particular ruby gems. For example, take this reddit gem. It says to have this code to start:
require 'snoo'
# Create a new instance of the client
reddit = Snoo::Client.new
# Log into reddit
reddit.log_in 'Username', 'Password'
# Send a private message to me (Paradox!)
reddit.send_pm 'Paradox', 'Snoo rubygem rocks!', "Hey Paradox, I'm trying your Snoo rubygem out and it rocks. Thanks for providing such an awesome thing!"
# Log back out of reddit
reddit.log_out
Great but in the documentation you can see that the Client class doesn't have very many exciting functions. The exciting functions are in the Account class but there is no way to get to it...because if I try something like this
reddit = Snoo::Account.new
I get this error:
`initialize': undefined method `new' for Snoo::Account:Module (NoMethodError)
Okay so there's no new method but how do I make an Account object and use its functions like log_in?
Snoo::Account is a Ruby Module, and has been mixed in to Snoo::Client already by the gem. All the functions of Snoo::Account are already available to you on the reddit object.
The synopsis documentation in the readme doesn't make this very clear. But otherwise the documentation on the gem looks good to me.
Taking a short look at the source code on github makes me believe this is a fault in the documentation, as client clearly includes the functionality of many other modules, including the Account module you would like to access. In your example code, try the following methods to confirm it for yourself:
reddit.methods.sort
reddit.is_a? Snoo::Account
I assume the documentation software didn't catch the includes as they were executed using a block.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I need a suggestion on how to implement "client-server" web apps in ruby. Any guides and best practices are highly appreciated. I'm interested both in Ruby ways and gems required as it is a desired platform, and in general ways and logic to implement such things.
I'm not an excellent ruby programmer or a skilled system designer with years of expirience sadly so I really need your help as I still hope this thing would shine in the end.
The current look of the application should be like this:
DB + Auth DB <-> API App <-> Other Apps:
DB - a database or set of databases with one DB for group of users (regions).
Auth DB - one more DB with personal users' data and login information, probably single even if main databases would be split between regions.
API App - this thing maintains all the logic around data, access control and translations probably to have one translations base for all the apps.
Other Apps - bunch of different applications, tied with API, this could be data providers that pokes API with some data about some user, and UI of different kinds. All of the apps could not have own storage of user-related info and work with the data only through the API.
API App: looks like the best tool to make it is Sinatra. The questions are:
How to organize API in the clear way? Rails makes nice REST path settings and folders structure for models and controllers. Any tips or gems to improve API building expirience?
How to maintain access? Warden isn't looks like a good option as API clients would be the web apps themselves. So I need some kind of auth token. How could it be done? Some sort of custom OAuth provider? The thing is, I don't like the idea to store and pass session cookies through the API, some sort of access token passed with each request. This also
Other Apps: mainly web-based UIs. The logical selection for this part is Rails. The main question is how to implement client-side auth check. Devise is cool, but is it possible to make it work with token, or is it more suitable tool?
Okay, this is going to be a bit longer:
If you are already familiar with Rails, you can have a look at the Rails API gem. The project strives to remove additional cruft from Rails which is not needed for a JSON-based RESTful API.
This may sound smooth, but it has it's downsides. First and foremost, you have the readd everything that is needed for basic rails functionality, that you may be accustomed to, e.g. respond_to. This can be a bit tricky, but is pretty straightforward when you find out which rails module originally provided the functionality usually bundled in Rails within the ActionController::Base.
That being said, let me give you an example of what i did for a small API project I did last week out of curiosity:
Initial Situation
We have a mainly finished Rails App. It all works fine, but it is basically monolithic. Everything is served by the Rails Framework. Luckily for us, all the model logic is bundled into a gem called core. the application essentially lets logged in customers create products which are than searchable through an end user view.
The goal was to provide a RESTful API for this, which can handle concurrency and larger data files (i.e. CSV, XLS) a little bit more efficiently.
Introducing Rails API
The design goal let me to the Rails API gem. The basic installation works like in Rails, except the script is called rails-api, i.e.:
rails-api new jsonapi
The advantage for me here was that I could use the core from the other application, but nothing would stop me from just introducing my own models to the jsonapi application.
That being said, you can do all the standard Rails goodies, like routing, etc. It follows the same convention. then again, standard routes initially react to JSON only, which can be a bit confusing at times.
Let me give you an example of the API Controller that handles products:
class ProductsController < ApplicationController
include ActionController::HttpAuthentication::Token
before_filter :find_product, :except => [:create, :index]
def index
render :json => #products
end
def create
#product = product.new params[:product]
if #product.save
render :json => #product, :status => :created
else
render :json => #product.errors, :status => :unprocessable_entity
end
end
def show
render :json => #product
end
def update
if #product.update_attributes params[:product]
render :json => #product, :status => :ok
else
render :json => #product.errors
end
end
def destroy
if #product.destroy
render :json => #product, :status => :ok
else
render :json => {:note => I18n.t("messages.deletion_impossible")}, :status => :unprocessable_entity
end
end
protected
def find_product
#product = Product.find params[:id]
end
end
It is nothing special. The only thing to note is the second line where ActionController::HttpAuthentication::Token is included explicitly. This is so that your aPI may be secured by HTTP Token. If you want to know more about securing an API, I suggest Ryan Bates' Guide on Railscasts.
In essential, you provide a before filter in the ApplicationController like this:
class ApplicationController < ActionController::API
include ActionController::HttpAuthentication::Token::ControllerMethods
[...]
before_filter :restrict_access
[...]
def restrict_access
authenticate_or_request_with_http_token do |token, options|
# see if key is valid.
end
end
end
Again, note the second line, you have to include the ControllerMethods manually, otherwise no controller will know about authenticate_or_request_with_http_token.
Extension
You may know extend the API based on the Rails conventions. It works exactly the same way, with the exception that some stuff is intentionally missing by default. I suggest adding JBuilder (Railscast), if you need more flexibility in your JSON Templates.
Great, but what about clients?
Personally, there is a lot of choice when it comes to clients. Ultimately I find that it comes down to what you like most. I can personally recommend a small node.js layer on top of the Rails API which then gets a single page application based on backbone.js in front of it. You can also try AngularJS if you like. You can also build another Rails App around it and call the API from within your controller actions.
It also depends on what platform you want to target - a native application for iOS/Android comes to mind.
The choice I made was node.js + backbone. It currently makes the most sense for me at the time and for the project. The node layer essentially holds the Token necessary to communicate with the API and the backbone application has a small library to talk with the node layer. It can however be a double edged sword, depending on how complex your API will be. For a small example this seems to be fine, but there can be a lot of code duplication just to put the calls from the backbone application through to the Rails API.
Authentication
For authentication you can make customer based API-Keys (Tokens) and then limit the controller logic to only accept data operations which are allowed with that key. You could than manage the session via the node layer. Edit: This is authorization, not authentication. Nothing actually stops you from using Authlogic with Rails API - i have not tested it, but it should work.
I confess that i have not finished this part yet - I hope others can answer this architectural question :-)
I hope I could provide some insights.
P.S.: If you want to test your API i highly recommend httpie (It's awesome!)
I have a few Ruby scripts that process text files in different ways, that many of my friends find useful. However, most of the people I know are not comfortable running scripts on the command line. The easiest thing for them would be to create a simple webpage where people could upload a file, select a few options, have it processed, and then download the result.
I know it wouldn't be too hard to build something like this in Rails or Merb or something like that, however it seems like a very common problem, so I was wondering if there was already some kind of template, or similar application that I could easily modify, i.e. let the user upload a file, choose a few options, then {fill in code to do something with file}, let the user download the resulting file?
In the past I used Carrierwave to upload user avatars.
If you are used to Rails it's really straightforward.
Let it be a TextFile resource:
gem 'carrierwave'
$ rails g scaffold textfile content:string title:string etc etc
$ rails g uploader textfile
class TextFile < ActiveRecord::Base
attr_accesible :content
mount_uploader :content, TextFileUploader
end
And that is is pretty much all you have to do to obtain the app's skeleton. However, to answer your real question, no, I don't think there is already a rails app that does exactly that.
https://github.com/jnicklas/carrierwave
I found sinatra-fileupload, which pretty perfectly answers my question. It's a very minimalistic framework which works perfectly, I can just plug in the file handling, and change the layout etc a bit. There were many examples of sophisticated Rails plugins linked to databases, with versioning and stuff, but I really wanted the most minimal example.
As part of a summer project I am currently undertaking, I am interested in writing a script to automate the retrieval of the contact email address for a particular site's webmaster. Is there any information anyone can direct my way to start me off? Stuff like research papers, source code for similar applications etc. I am currently reading "Introduction to Information Retrieval" by Manning, Raghavan and Schutz, as this work is part of a larger information extraction project, in which I eventually hope to develop a people search system. Oh yes, and I intend to write these systems in Ruby, if that is any further help. Thanks.
Check out Simone Carletti's pure ruby whois client & parser GitHub project. Here's a usage example:
r = Whois.whois("google.com")
# => #<Whois::Record>
t = r.technical_contact
# => #<Whois::Record::Contact>
t.email
# => "dns-admin#google.com"