Land #5376, Report ipmi_dumphashes credentials with create_credential_login
commit
2ae9e39719
|
@ -71,7 +71,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
passwords << ""
|
||||
passwords = passwords.uniq
|
||||
|
||||
|
||||
self.udp_sock = Rex::Socket::Udp.create({'Context' => {'Msf' => framework, 'MsfExploit' => self}})
|
||||
add_socket(self.udp_sock)
|
||||
|
||||
|
@ -180,18 +179,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
write_output_files(rhost, username, sha1_salt, sha1_hash)
|
||||
|
||||
# Write the rakp hash to the database
|
||||
report_auth_info(
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
:proto => 'udp',
|
||||
:sname => 'ipmi',
|
||||
:user => username,
|
||||
:pass => "#{sha1_salt}:#{sha1_hash}",
|
||||
:source_type => "captured",
|
||||
:active => true,
|
||||
:type => 'rakp_hmac_sha1_hash'
|
||||
)
|
||||
|
||||
hash = "#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}"
|
||||
core_id = report_hash(username, hash)
|
||||
# Write the vulnerability to the database
|
||||
unless reported_vuln
|
||||
report_vuln(
|
||||
|
@ -216,17 +205,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_good("#{rhost}:#{rport} - IPMI - Hash for user '#{username}' matches password '#{pass}'")
|
||||
|
||||
# Report the clear-text credential to the database
|
||||
report_auth_info(
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
:proto => 'udp',
|
||||
:sname => 'ipmi',
|
||||
:user => username,
|
||||
:pass => pass,
|
||||
:source_type => "cracked",
|
||||
:active => true,
|
||||
:type => 'password'
|
||||
)
|
||||
report_cracked_cred(username, pass, core_id)
|
||||
break
|
||||
end
|
||||
end
|
||||
|
@ -265,6 +244,45 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
|
||||
def service_data
|
||||
{
|
||||
address: rhost,
|
||||
port: rport,
|
||||
service_name: 'ipmi',
|
||||
protocol: 'udp',
|
||||
workspace_id: myworkspace_id
|
||||
}
|
||||
end
|
||||
|
||||
def report_hash(user, hash)
|
||||
credential_data = {
|
||||
module_fullname: self.fullname,
|
||||
origin_type: :service,
|
||||
private_data: hash,
|
||||
private_type: :nonreplayable_hash,
|
||||
jtr_format: 'rakp',
|
||||
username: user,
|
||||
}.merge(service_data)
|
||||
|
||||
login_data = {
|
||||
core: create_credential(credential_data),
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}.merge(service_data)
|
||||
|
||||
cl = create_credential_login(login_data)
|
||||
cl.core_id
|
||||
end
|
||||
|
||||
def report_cracked_cred(user, password, core_id)
|
||||
cred_data = {
|
||||
core_id: core_id,
|
||||
username: user,
|
||||
password: password
|
||||
}
|
||||
|
||||
create_cracked_credential(cred_data)
|
||||
end
|
||||
|
||||
#
|
||||
# Helper methods (these didn't quite fit with existing mixins)
|
||||
#
|
||||
|
@ -292,5 +310,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def rport
|
||||
datastore['RPORT']
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue