Didier Stevens

Monday 16 March 2015

Quickpost: Metasploit User Agent Strings

Filed under: Quickpost — Didier Stevens @ 0:00

I searched through the Metasploit source code for User Agent Strings (starting with Mozilla/).

This is what I found:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N
Mozilla/4.0 (compatible; Metasploit RSPEC)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

Quickpost info


7 Comments »

  1. Are lines 5 and 7 truncated?

    Comment by Drew Hunt — Monday 16 March 2015 @ 14:11

  2. Here are my finds for comparison:

    Mozilla/4.0 (compatible)
    Mozilla/4.0 (compatible; BullsEye; Windows 95)
    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\
    Mozilla/5.0
    Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
    Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0
    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
    Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3
    Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
    Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.75 Safari/537.1\
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0\
    Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1
    Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22
    Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
    Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0
    Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0\
    Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8

    Comment by Drew Hunt — Monday 16 March 2015 @ 14:30

  3. @Drew No, these lines are not truncated. This is what I found in the source code:

    OptString.new(‘UserAgent’, [ true, “The HTTP User-Agent sent in the request”,
    ‘Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N’ ])

    header = { ‘User-Agent’ => “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13”}

    Comment by Didier Stevens — Monday 16 March 2015 @ 14:43

  4. @Drew There are many User Agent Strings found in the comments of the Metasploit source code. I did not include these, and that explains why you find so many.
    I used the following regex: ([“‘])Mozilla/.+\1

    Comment by Didier Stevens — Monday 16 March 2015 @ 14:45

  5. Interesting. I’m not able to find the ‘SIMBAR’ UAS to validate. What module is it from?. It looks to be a cut-off .NET string. That would be an intersting anomaly to search for.

    WRT searching, I believe the bulk of the UAS I located were in the included Ruby libraries, not Metasploit itself.

    root@host1:/opt/metasploit# cat /tmp/ua1 | awk -F: ‘{print $1}’ | sort | uniq -c | sort -nr
    8 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/spec/lib/secure_headers_spec.rb
    5 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/spec/lib/secure_headers/headers/content_security_policy_spec.rb
    4 apps/pro/ui/db/runners/se_reporting_seed_objects.rb
    2 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb
    2 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb
    2 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb
    2 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb
    2 apps/pro/vendor/bundle/ruby/1.9.1/gems/rack-1.4.5/test/spec_request.rb
    1 apps/pro/vendor/bundle/ruby/1.9.1/gems/robots-0.10.1/test/fixtures/eventbrite.txt
    1 apps/pro/ui/app/models/websploit_task.rb
    1 apps/pro/ui/app/models/webscan_task.rb
    1 apps/pro/ui/app/models/webaudit_task.rb
    1 apps/pro/ui/app/models/social_engineering/web_page.rb
    1 apps/pro/ui/app/models/scan_task.rb
    1 apps/pro/ui/app/models/exploit_task.rb
    1 apps/pro/engine/spec/modules/auxiliary/pro/social_engineering/web_phish_spec.rb
    1 apps/pro/engine/lib/pro/dynamic_stagers/templates/reverse_http_svc.c.template
    1 apps/pro/engine/lib/pro/dynamic_stagers/templates/reverse_http.c.template

    Eliminating the Ruby spec strings, the list is reduced, but still not matched to yours. Then again, I’m searching the Kali packaged installation and not the source code.

    root@host1:/opt/metasploit# fgrep -r Mozilla/ * | fgrep -v access.log | fgrep -v “vendor/bundle” | tee /tmp/ua1.1 | perl -pe ‘s/^(.*)\”(Mozilla\/[^\”]+)\”(.*)$/$2/;’ | perl -pe “s/^(.*)\'(Mozilla\/[^\’]+)\'(.*)$/$2/;” | perl -pe ‘s/^(.*)\s(Mozilla\/.*)$/$2/;’ | perl -pe ‘s/^\s*$//’| sort | uniq | tee /tmp/ua2.1
    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\
    Mozilla/5.0
    Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.75 Safari/537.1\
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0\
    Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0\

    Interesting findings. Thanks for the post!

    Comment by Drew Hunt — Monday 16 March 2015 @ 15:08

  6. @Drew Indeed, it is a truncated .NET CLR string, and makes it easy to spot. I found it here: metasploit-framework-master\modules\exploits\windows\http\hp_nnm_ovas.rb line 90.

    Comment by Didier Stevens — Monday 16 March 2015 @ 15:26

  7. […] on the Metasploit User Agent Strings I published a couple of months ago, I made these Snort […]

    Pingback by Detecting Network Traffic from Metasploit’s Meterpreter Reverse HTTP Module | Didier Stevens — Monday 11 May 2015 @ 5:52


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: