2010-01-13 23:37:14 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2010-01-13 23:37:14 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Finger Service User Enumerator',
|
|
|
|
'Description' => 'Identify valid users through the finger service using a variety of tricks',
|
|
|
|
'Author' => 'hdm',
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
register_options([
|
|
|
|
Opt::RPORT(79),
|
|
|
|
OptString.new('USERS_FILE',
|
|
|
|
[ true, 'The file that contains a list of default UNIX accounts.',
|
|
|
|
File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_users.txt')
|
|
|
|
]
|
|
|
|
)], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
@users = {}
|
|
|
|
|
|
|
|
begin
|
2011-07-15 15:33:35 +00:00
|
|
|
vprint_status "#{rhost}:#{rport} - Sending empty finger request."
|
2010-01-13 23:37:14 +00:00
|
|
|
finger_empty
|
2011-07-15 15:33:35 +00:00
|
|
|
vprint_status "#{rhost}:#{rport} - Sending test finger requests."
|
2010-01-13 23:37:14 +00:00
|
|
|
finger_zero
|
|
|
|
finger_dot
|
|
|
|
finger_chars
|
2011-07-15 15:33:35 +00:00
|
|
|
vprint_status "#{rhost}:#{rport} - Sending finger request for user list: #{finger_user_common.join(", ")}"
|
2010-01-13 23:37:14 +00:00
|
|
|
finger_list
|
|
|
|
|
|
|
|
rescue ::Rex::ConnectionError
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_error("#{e} #{e.backtrace}")
|
|
|
|
end
|
2010-01-15 03:25:34 +00:00
|
|
|
report_service(:host => rhost, :port => rport, :name => "finger")
|
|
|
|
|
2010-05-25 18:04:06 +00:00
|
|
|
if(@users.empty?)
|
|
|
|
print_status("#{ip}:#{rport} No users found.")
|
|
|
|
else
|
2010-06-03 18:25:29 +00:00
|
|
|
print_good("#{ip}:#{rport} Users found: #{@users.keys.sort.join(", ")}")
|
2010-01-15 03:25:34 +00:00
|
|
|
report_note(
|
|
|
|
:host => rhost,
|
|
|
|
:port => rport,
|
|
|
|
:type => 'finger.users',
|
|
|
|
:data => {:users => @users.keys}
|
|
|
|
)
|
|
|
|
end
|
2010-01-13 23:37:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def finger_empty
|
|
|
|
connect
|
|
|
|
sock.put("\r\n")
|
|
|
|
buff = finger_slurp_data
|
|
|
|
parse_users(buff)
|
2010-05-25 18:04:06 +00:00
|
|
|
disconnect
|
2010-01-13 23:37:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def finger_zero
|
|
|
|
connect
|
|
|
|
sock.put("0\r\n")
|
|
|
|
buff = finger_slurp_data
|
|
|
|
parse_users(buff)
|
2010-05-25 18:04:06 +00:00
|
|
|
disconnect
|
2010-01-13 23:37:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def finger_dot
|
|
|
|
connect
|
|
|
|
sock.put(".\r\n")
|
|
|
|
buff = finger_slurp_data
|
|
|
|
parse_users(buff)
|
2010-05-25 18:04:06 +00:00
|
|
|
disconnect
|
2010-01-13 23:37:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def finger_chars
|
|
|
|
connect
|
|
|
|
sock.put("m m m m m m m m\r\n")
|
|
|
|
buff = finger_slurp_data
|
2010-05-25 18:04:06 +00:00
|
|
|
if buff.scan(/\r?\nm\s/).size > 7
|
|
|
|
@multiple_requests = true
|
2011-07-15 15:33:35 +00:00
|
|
|
vprint_status "#{rhost}:#{rport} - Multiple users per request is okay."
|
2010-05-25 18:04:06 +00:00
|
|
|
end
|
2010-01-13 23:37:14 +00:00
|
|
|
parse_users(buff)
|
2010-05-25 18:04:06 +00:00
|
|
|
disconnect
|
2010-01-13 23:37:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def finger_list
|
2010-05-25 18:04:06 +00:00
|
|
|
if !@multiple_requests
|
|
|
|
finger_user_common.each do |user|
|
|
|
|
next if @users[user]
|
|
|
|
connect
|
2011-07-15 15:33:35 +00:00
|
|
|
vprint_status "#{rhost}:#{rport} - Sending finger request for #{user}..."
|
2010-05-25 18:04:06 +00:00
|
|
|
sock.put("#{user}\r\n")
|
|
|
|
buff = finger_slurp_data
|
2010-12-10 00:58:55 +00:00
|
|
|
ret = parse_users(buff)
|
2010-05-25 18:04:06 +00:00
|
|
|
disconnect
|
2010-12-10 00:58:55 +00:00
|
|
|
break if not ret
|
2010-05-25 18:04:06 +00:00
|
|
|
end
|
|
|
|
else
|
|
|
|
while !finger_user_common.empty?
|
|
|
|
user_batch = []
|
|
|
|
while user_batch.size < 8 and !finger_user_common.empty?
|
|
|
|
new_user = finger_user_common.shift
|
|
|
|
next if @users.keys.include? new_user
|
|
|
|
user_batch << new_user
|
|
|
|
end
|
|
|
|
connect
|
2011-07-15 15:33:35 +00:00
|
|
|
vprint_status "#{rhost}:#{rport} - Sending finger request for #{user_batch.join(", ")}..."
|
2010-05-25 18:04:06 +00:00
|
|
|
sock.put("#{user_batch.join(" ")}\r\n")
|
|
|
|
buff = finger_slurp_data
|
2010-12-10 00:58:55 +00:00
|
|
|
ret = parse_users(buff)
|
2010-05-25 18:04:06 +00:00
|
|
|
disconnect
|
2010-12-10 00:58:55 +00:00
|
|
|
break if not ret
|
2010-05-25 18:04:06 +00:00
|
|
|
end
|
2010-01-13 23:37:14 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def finger_slurp_data
|
|
|
|
buff = ""
|
|
|
|
begin
|
2012-06-04 20:31:10 +00:00
|
|
|
while(res = sock.get_once(-1, 5) || '')
|
2010-01-13 23:37:14 +00:00
|
|
|
buff << res
|
|
|
|
break if buff.length > (1024*1024)
|
|
|
|
end
|
|
|
|
rescue ::Interrupt
|
|
|
|
raise $!
|
|
|
|
rescue ::Exception
|
|
|
|
end
|
|
|
|
buff
|
|
|
|
end
|
|
|
|
|
|
|
|
def finger_user_common
|
|
|
|
if(! @common)
|
2010-07-01 23:33:07 +00:00
|
|
|
File.open(datastore['USERS_FILE'], "rb") do |fd|
|
2010-01-13 23:37:14 +00:00
|
|
|
data = fd.read(fd.stat.size)
|
2010-05-25 18:04:06 +00:00
|
|
|
@common = data.split(/\n/).compact.uniq
|
|
|
|
@common.delete("")
|
2010-01-13 23:37:14 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
@common
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_users(buff)
|
|
|
|
buff.each_line do |line|
|
2010-05-25 18:04:06 +00:00
|
|
|
uid = nil
|
2010-01-13 23:37:14 +00:00
|
|
|
next if line.strip.empty?
|
|
|
|
|
|
|
|
# Ignore Cisco systems
|
2010-12-10 00:58:55 +00:00
|
|
|
return if line =~ /Line.*User.*Host.*Location/
|
2010-01-13 23:37:14 +00:00
|
|
|
|
|
|
|
next if line =~ /user not found/i
|
|
|
|
next if line =~ /no such user/i
|
|
|
|
next if line =~ /must provide username/
|
|
|
|
next if line =~ /real life: \?\?\?/
|
|
|
|
next if line =~ /No one logged on/
|
|
|
|
next if line =~ /^Login\s+Name\s+TTY/
|
|
|
|
|
|
|
|
# print_status(">> #{line}")
|
|
|
|
|
|
|
|
# No such file or directory == valid user bad utmp
|
|
|
|
|
|
|
|
# Solaris
|
|
|
|
if(line =~ /^([a-z0-9\.\_]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)/)
|
2010-06-03 18:25:29 +00:00
|
|
|
uid = $1
|
2010-01-13 23:37:14 +00:00
|
|
|
if ($2 != "Name")
|
|
|
|
@users[uid] ||= {}
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# IRIX
|
|
|
|
if(line =~ /^\s*Login name:\s*([^\s]+)\s+/i)
|
2010-05-25 18:04:06 +00:00
|
|
|
uid = $1
|
|
|
|
@users[uid] ||= {} if uid
|
2010-01-13 23:37:14 +00:00
|
|
|
end
|
2010-05-24 21:44:17 +00:00
|
|
|
|
|
|
|
# Debian GNU/Linux
|
|
|
|
if(line =~ /^\s*Username:\s*([^\s]+)\s+/i)
|
2010-05-25 18:04:06 +00:00
|
|
|
uid = $1
|
|
|
|
@users[uid] ||= {} if uid
|
|
|
|
end
|
|
|
|
|
|
|
|
if uid
|
|
|
|
print_good "#{rhost}:#{rport} - Found user: #{uid}" unless @users[uid] == :reported
|
|
|
|
@users[uid] = :reported
|
2010-05-24 21:44:17 +00:00
|
|
|
next
|
|
|
|
end
|
2010-01-13 23:37:14 +00:00
|
|
|
end
|
2010-12-10 00:58:55 +00:00
|
|
|
return true
|
2010-01-13 23:37:14 +00:00
|
|
|
end
|
2010-05-25 18:04:06 +00:00
|
|
|
|
2010-01-13 23:37:14 +00:00
|
|
|
end
|