infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #5935, final creds refactor

bug/bundler_fix
William Vu 2015-10-01 00:25:14 -05:00
parent 786273e0f8 8866b15f3b
commit 2e2d27d53a
No known key found for this signature in database
GPG Key ID: 68BD00CE25866743
28 changed files with 1020 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
modules/auxiliary/admin/mysql/mysql_enum.rb
View File

@ -27,6 +27,33 @@ class Metasploit3 < Msf::Auxiliary
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :nonreplayable_hash,
jtr_format: 'mysql,mysql-sha1'
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
return if not mysql_login_datastore
print_status("Running MySQL Enumerator...")
@ -86,15 +113,14 @@ class Metasploit3 < Msf::Auxiliary
print_status("\tList of Accounts with Password Hashes:")
res.each do |row|
print_status("\t\tUser: #{row[0]} Host: #{row[1]} Password Hash: #{row[2]}")
report_auth_info({
:host => rhost,
:port => rport,
:user => row[0],
:pass => row[2],
:type => "mysql_hash",
:sname => "mysql",
:active => true
})
report_cred(
ip: rhost,
port: rport,
user: row[0],
password: row[2],
service_name: 'mysql',
proof: row.inspect
)
end
end
# Only list accounts that can log in with SSL if SSL is enabled

43
modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb
View File

@ -175,15 +175,14 @@ class Metasploit3 < Msf::Auxiliary
@plain_passwords[i] << " (ISO-8859-1 hex chars)"
end
report_auth_info({
:host => rhost,
:port => rport,
:user => @users[i][0],
:pass => @plain_passwords[i],
:type => "password",
:sname => (ssl ? "https" : "http"),
:proof => "Leaked encrypted password from #{@users[i][3]}: #{@users[i][1]}:#{@users[i][2]}"
})
report_cred(
ip: rhost,
port: rport,
user: @users[i][0],
password: @plain_passwords[i],
service_name: (ssl ? "https" : "http"),
proof: "Leaked encrypted password from #{@users[i][3]}: #{@users[i][1]}:#{@users[i][2]}"
)
users_table << [@users[i][0], @users[i][1], @users[i][2], @plain_passwords[i], user_type(@users[i][3])]
end
@ -191,6 +190,32 @@ class Metasploit3 < Msf::Auxiliary
print_line(users_table.to_s)
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def user_type(database)
user_type = database

45
modules/auxiliary/admin/scada/modicon_password_recovery.rb
View File

@ -90,18 +90,45 @@ class Metasploit3 < Msf::Auxiliary
end
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: Time.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def setup_ftp_connection
vprint_status "#{ip}:#{rport} - FTP - Connecting"
if connect_login()
conn = connect_login
if conn
print_status("#{ip}:#{rport} - FTP - Login succeeded")
report_auth_info(
:host => ip,
:port => rport,
:proto => 'tcp',
:user => user,
:pass => pass,
:ptype => 'password_ro',
:active => true
report_cred(
ip: ip,
port: rport,
user: user,
password: pass,
service_name: 'modicon',
proof: "connect_login: #{conn}"
)
return true
else

41
modules/auxiliary/analyze/jtr_oracle_fast.rb
View File

@ -37,6 +37,33 @@ class Metasploit3 < Msf::Auxiliary
crack("oracle11g")
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :nonreplayable_hash,
jtr_format: opts[:format]
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def crack(format)
@ -71,12 +98,14 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{cracked[:cracked]} hashes were cracked!")
cracked[:users].each_pair do |k,v|
print_good("Host: #{v[1]} Port: #{v[2]} User: #{k} Pass: #{v[0]}")
report_auth_info(
:host => v[1],
:port => v[2],
:sname => 'oracle',
:user => k,
:pass => v[0]
report_cred(
ip: v[1],
port: v[2],
service_name: 'oracle',
user: k,
pass: v[0],
format: format,
proof: cracked.inspect
)
end
end

37
modules/auxiliary/dos/http/wordpress_long_password_dos.rb
View File

@ -68,16 +68,41 @@ class Metasploit3 < Msf::Auxiliary
datastore['TIMEOUT']
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user]
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def user_exists(user)
exists = wordpress_user_exists?(user)
if exists
print_good("#{peer} - Username \"#{username}\" is valid")
report_auth_info(
:host => rhost,
:sname => (ssl ? 'https' : 'http'),
:user => user,
:port => rport,
:proof => "WEBAPP=\"Wordpress\", VHOST=#{vhost}"
report_cred(
ip: rhost,
port: rport,
user: user,
service_name: (ssl ? 'https' : 'http'),
proof: "WEBAPP=\"Wordpress\", VHOST=#{vhost}"
)
return true

41
modules/auxiliary/gather/apache_rave_creds.rb
View File

@ -103,6 +103,33 @@ class Metasploit3 < Msf::Auxiliary
}
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
print_status("#{rhost}:#{rport} - Fingerprinting...")
@ -183,13 +210,13 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{rhost}:#{rport} - Recovering Hashes...")
json_info["result"]["resultSet"].each { |result|
print_good("#{rhost}:#{rport} - Found cred: #{result["username"]}:#{result["password"]}")
report_auth_info(
:host => rhost,
:port => rport,
:sname => "Apache Rave",
:user => result["username"],
:pass => result["password"],
:active => result["enabled"]
report_cred(
ip: rhost,
port: rport,
service_name: 'Apache Rave',
user: result["username"],
password: result["password"],
proof: user_data
)
}

40
modules/auxiliary/gather/d20pass.rb
View File

@ -182,6 +182,32 @@ class Metasploit3 < Msf::Auxiliary
return res
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
# Parse the usernames, passwords, and security levels from the config
# It's a little ugly (lots of hard-coded offsets).
# The userdata starts at an offset dictated by the B014USERS config
@ -213,13 +239,13 @@ class Metasploit3 < Msf::Auxiliary
break
end
logins << [accounttype, accountname, accountpass]
report_auth_info(
:host => datastore['RHOST'],
:port => 23,
:sname => "telnet",
:user => accountname,
:pass => accountpass,
:active => true
report_cred(
ip: datastore['RHOST'],
port: 23,
service_name: 'telnet',
user: accountname,
password: accountpass,
proof: accounttype
)
end
if not logins.rows.empty?

42
modules/auxiliary/gather/doliwamp_traversal_creds.rb
View File

@ -151,6 +151,32 @@ class Metasploit3 < Msf::Auxiliary
get_session_tokens ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Safe
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
return unless tokens = get_session_tokens
credentials = []
@ -172,14 +198,14 @@ class Metasploit3 < Msf::Auxiliary
'Columns' => ['Username', 'Password', 'Admin', 'E-mail']
)
credentials.each do |record|
report_auth_info({
:host => rhost,
:port => rport,
:sname => (ssl ? 'https' : 'http'),
:user => record[0],
:pass => record[1],
:source_type => 'vuln'
})
report_cred(
ip: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
user: record[0],
password: record[1],
proof: @cookie
)
cred_table << [record[0], record[1], record[2], record[3]]
end
print_line

44
modules/auxiliary/gather/hp_snac_domain_creds.rb
View File

@ -88,6 +88,34 @@ class Metasploit3 < Msf::Auxiliary
return results
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
print_status("#{peer} - Get Domain Info")
@ -121,14 +149,14 @@ class Metasploit3 < Msf::Auxiliary
)
credentials.each do |record|
report_auth_info({
:host => record[0],
:port => record[1],
:sname => record[2].downcase,
:user => record[3],
:pass => record[4],
:source_type => "vuln"
})
report_cred(
ip: record[0],
port: record[1],
service_name: record[2].downcase,
user: record[3],
password: record[4],
proof: domain_info.inspect
)
cred_table << [record[0], record[3], record[4]]
end

44
modules/auxiliary/gather/vbulletin_vote_sqli.rb
View File

@ -145,6 +145,33 @@ class Metasploit3 < Msf::Auxiliary
Msf::Exploit::CheckCode::Safe
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :nonreplayable_hash,
jtr_format: 'md5'
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
print_status("#{peer} - Checking for a valid node id...")
node_id = get_node
@ -171,15 +198,14 @@ class Metasploit3 < Msf::Auxiliary
for i in 0..count_users
user = get_user_data(node_id, i)
unless user.join.empty?
report_auth_info({
:host => rhost,
:port => rport,
:user => user[0],
:pass => user[1],
:type => "hash",
:sname => (ssl ? "https" : "http"),
:proof => "salt: #{user[2]}" # Using proof to store the hash salt
})
report_cred(
ip: rhost,
port: rport,
user: user[0],
password: user[1],
service_name: (ssl ? "https" : "http"),
proof: "salt: #{user[2]}"
)
users_table << user
end
end

42
modules/auxiliary/gather/windows_deployment_services_shares.rb
View File

@ -198,6 +198,32 @@ class Metasploit3 < Msf::Auxiliary
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def parse_client_unattend(data)
begin
@ -216,15 +242,13 @@ class Metasploit3 < Msf::Auxiliary
end
def report_creds(domain, user, pass)
report_auth_info(
:host => rhost,
:port => 445,
:sname => 'smb',
:proto => 'tcp',
:source_id => nil,
:source_type => "aux",
:user => "#{domain}\\#{user}",
:pass => pass
report_cred(
ip: rhost,
port: 445,
service_name: 'smb',
user: "#{domain}\\#{user}",
password: pass,
proof: domain
)
end

43
modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
View File

@ -76,6 +76,34 @@ class Metasploit3 < Msf::Auxiliary
nil
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :nonreplayable_hash,
jtr_format: 'md5,des'
}.merge(service_data)
login_data = {
last_attempted_at: Time.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run_host(ip)
users_found = false
@ -117,14 +145,13 @@ class Metasploit3 < Msf::Auxiliary
unless match.nil?
print_good("Username: #{match[0]}")
print_good("Password Hash: #{match[1]}")
report_auth_info(
host: rhost,
port: rport,
sname: ssl ? 'https' : 'http',
user: match[0],
pass: match[1],
active: true,
type: 'hash'
report_cred(
ip: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
user: match[0],
password: match[1],
proof: result.body
)
users_found = true
end

45
modules/auxiliary/scanner/couchdb/couchdb_login.rb
View File

@ -74,6 +74,32 @@ class Metasploit3 < Msf::Auxiliary
vprint_error("'#{rhost}':'#{rport}' - Failed to connect to the web server")
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def do_login(user, pass)
vprint_status("Trying username:'#{user}' with password:'#{pass}'")
begin
@ -91,17 +117,14 @@ class Metasploit3 < Msf::Auxiliary
return :skip_pass
else
vprint_good("#{rhost}:#{rport} - Successful login with. '#{user}' : '#{pass}'")
report_hash = {
:host => datastore['RHOST'],
:port => datastore['RPORT'],
:sname => 'couchdb',
:user => user,
:pass => pass,
:active => true,
:type => 'password'}
report_auth_info(report_hash)
report_cred(
ip: datastore['RHOST'],
port: datastore['RPORT'],
service_name: 'couchdb',
user: user,
password: pass,
proof: res.code.to_s
)
return :next_user
end

43
modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb
View File

@ -216,15 +216,40 @@ class Metasploit3 < Msf::Auxiliary
print_status("Raw version of #{archi} saved as: #{p}")
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def report_creds(domain, user, pass)
report_auth_info(
:host => rhost,
:port => 4050,
:sname => 'dcerpc',
:proto => 'tcp',
:source_id => nil,
:source_type => "aux",
:user => "#{domain}\\#{user}",
:pass => pass)
report_cred(
ip: rhost,
port: 4050,
service_name: 'dcerpc',
user: "#{domain}\\#{user}",
password: pass,
proof: domain
)
end
end

43
modules/auxiliary/scanner/http/dell_idrac.rb
View File

@ -69,22 +69,45 @@ class Metasploit3 < Msf::Auxiliary
if(auth and auth.body.to_s.match(/<authResult>[0|5]<\/authResult>/) != nil )
print_good("#{target_url} - SUCCESSFUL login for user '#{user}' with password '#{pass}'")
report_auth_info(
:host => rhost,
:port => rport,
:proto => 'tcp',
:sname => (ssl ? 'https' : 'http'),
:user => user,
:pass => pass,
:active => true,
:source_type => "user_supplied",
:duplicate_ok => true
report_cred(
ip: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
user: user,
password: pass,
proof: auth.body.to_s
)
else
print_error("#{target_url} - Dell iDRAC - Failed to login as '#{user}' with password '#{pass}'")
end
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run_host(ip)
print_status("Verifying that login page exists at #{ip}")
uri = normalize_uri(target_uri.path)

44
modules/auxiliary/scanner/http/openmind_messageos_login.rb
View File

@ -72,6 +72,32 @@ class Metasploit3 < Msf::Auxiliary
end
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
#
# Brute-force the login page
#
@ -96,16 +122,14 @@ class Metasploit3 < Msf::Auxiliary
if (res and res.code == 302 and res.headers['Location'].include?("frameset"))
print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
report_hash = {
:host => rhost,
:port => rport,
:sname => 'OpenMind Message-OS Provisioning Portal',
:user => user,
:pass => pass,
:active => true,
:type => 'password'
}
report_auth_info(report_hash)
report_cred(
ip: rhost,
port: rport,
service_name: 'OpenMind Message-OS Provisioning Portal',
user: user,
password: pass,
proof: res.headers['Location']
)
return :next_user
else
vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")

43
modules/auxiliary/scanner/lotus/lotus_domino_login.rb
View File

@ -33,6 +33,33 @@ class Metasploit3 < Msf::Auxiliary
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: Time.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def do_login(user=nil,pass=nil)
post_data = "username=#{Rex::Text.uri_encode(user.to_s)}&password=#{Rex::Text.uri_encode(pass.to_s)}&RedirectTo=%2Fnames.nsf"
vprint_status("http://#{vhost}:#{rport} - Lotus Domino - Trying username:'#{user}' with password:'#{pass}'")
@ -48,15 +75,13 @@ class Metasploit3 < Msf::Auxiliary
if res and res.code == 302
if res.get_cookies.match(/DomAuthSessId=(.*);(.*)/i)
print_good("http://#{vhost}:#{rport} - Lotus Domino - SUCCESSFUL login for '#{user}' : '#{pass}'")
report_auth_info(
:host => rhost,
:port => rport,
:sname => (ssl ? "https" : "http"),
:user => user,
:pass => pass,
:proof => "WEBAPP=\"Lotus Domino\", VHOST=#{vhost}, COOKIE=#{res.get_cookies}",
:source_type => "user_supplied",
:active => true
report_cred(
ip: rhost,
port: rport,
service_name: (ssl ? "https" : "http"),
user: user,
password: pass,
proof: "WEBAPP=\"Lotus Domino\", VHOST=#{vhost}, COOKIE=#{res.get_cookies}"
)
return :next_user
end

44
modules/auxiliary/scanner/misc/dvr_config_disclosure.rb
View File

@ -200,18 +200,44 @@ class Metasploit3 < Msf::Auxiliary
user_active = true
end
report_auth_info({
:host => rhost,
:port => rport,
:sname => 'dvr',
:duplicate_ok => false,
:user => user,
:pass => password,
:active => user_active
})
report_cred(
ip: rhost,
port: rport,
service_name: 'dvr',
user: user,
password: password,
service_name: 'http',
proof: "user_id: #{user_id}, active: #{active}"
)
}
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run_host(ip)
res = send_request_cgi({

36
modules/auxiliary/scanner/oracle/isqlplus_login.rb
View File

@ -231,18 +231,46 @@ class Metasploit3 < Msf::Auxiliary
)
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def report_isqlauth_info(ip,user,pass,sid)
ora_info = {
:host => ip, :port => rport, :proto => "tcp",
:pass => pass, :source_type => "user_supplied",
:active => true
ip: ip,
port: rport,
password: pass,
proof: sid.inspect,
service_name: 'tcp'
}
if sid.nil? || sid.empty?
ora_info.merge! :user => user
else
ora_info.merge! :user => "#{sid}/#{user}"
end
report_auth_info(ora_info)
report_cred(ora_info)
end
end

47
modules/auxiliary/scanner/oracle/oracle_login.rb
View File

@ -138,6 +138,32 @@ class Metasploit3 < Msf::Auxiliary
m[1,2]
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: opts[:status],
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def parse_script_output(addr,port,output)
msg = "#{addr}:#{port} - Oracle -"
@oracle_reported = false
@ -156,10 +182,13 @@ class Metasploit3 < Msf::Auxiliary
user,pass = extract_creds(oline)
pass = "" if pass == "<empty>"
print_good "#{msg} Success: #{user}:#{pass} (SID: #{sid})"
report_auth_info(
:host => addr, :port => port, :proto => "tcp",
:user => "#{sid}/#{user}", :pass => pass,
:source_type => "user_supplied", :active => true
report_cred(
ip: addr,
port: port,
user: "#{sid}/#{user}",
password: pass,
service_name: 'tcp',
status: Metasploit::Model::Login::Status::SUCCESSFUL
)
elsif oline =~ /Account locked/
if not @oracle_reported
@ -169,10 +198,12 @@ class Metasploit3 < Msf::Auxiliary
end
user = extract_creds(oline)[0]
print_status "#{msg} Locked: #{user} (SID: #{sid}) -- account valid but locked"
report_auth_info(
:host => addr, :port => port, :proto => "tcp",
:user => "#{sid}/#{user}",
:source_type => "user_supplied", :active => false
report_cred(
ip: addr,
port: port,
user: "#{sid}/#{user}",
service_name: 'tcp',
status: Metasploit::Model::Login::Status::DENIED_ACCESS
)
elsif oline =~ /^\s+ERROR: (.*)/
print_error "#{msg} NSE script error: #{$1}"

40
modules/auxiliary/scanner/postgres/postgres_version.rb
View File

@ -50,6 +50,32 @@ class Metasploit3 < Msf::Auxiliary
datastore['RPORT']
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def do_fingerprint(user=nil,pass=nil,database=nil)
begin
msg = "#{rhost}:#{rport} Postgres -"
@ -79,13 +105,13 @@ class Metasploit3 < Msf::Auxiliary
)
if self.postgres_conn
report_auth_info(
:host => rhost,
:port => rport,
:sname => "postgres",
:user => user,
:pass => password,
:active => true
report_cred(
ip: rhost,
port: rport,
service_name: 'postgres',
user: user,
password: password,
proof: "postgres_conn = #{self.postgres_conn.inspect}"
)
end

25
modules/auxiliary/scanner/rservices/rsh_login.rb
View File

@ -220,6 +220,31 @@ class Metasploit3 < Msf::Auxiliary
[ sd, lport ]
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def start_rsh_session(host, port, user, luser, proof, stderr_sock)
report_auth_info(

43
modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb
View File

@ -68,22 +68,49 @@ class Metasploit4 < Msf::Auxiliary
vprint_status("#{rhost}:#{rport} - Adding User to Group...")
uri = '/ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME=' + datastore['USERNAME'] + ',GROUPNAME=' + datastore['GROUP']
if send_request(uri)
res = send_request(uri)
if res
print_good("#{rhost}:#{rport} - User #{datastore['USERNAME']} added to group #{datastore['GROUP']}")
else
return
end
report_auth_info(
:host => rhost,
:port => rport,
:user => datastore['USERNAME'],
:pass => datastore['PASSWORD'],
:ptype => "password",
:active => true
report_cred(
ip: rhost,
port: rport,
service_name: 'sap',
user: datastore['USERNAME'],
pass: datastore['PASSWORD'],
proof: res.body
)
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def send_request(uri)
begin
res = send_request_cgi({

43
modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
View File

@ -61,6 +61,32 @@ class Metasploit4 < Msf::Auxiliary
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def enum_user(user, pass, uri)
# Replace placeholder with SAP SID, if present
@ -140,16 +166,13 @@ class Metasploit4 < Msf::Auxiliary
vprint_error("#{peer} [SAP] Login '#{user}' NOT authorized to perform OSExecute calls")
end
report_auth_info(
:host => rhost,
:sname => 'sap-managementconsole',
:proto => 'tcp',
:port => rport,
:user => user,
:pass => pass,
:source_type => "user_supplied",
:target_host => rhost,
:target_port => rport
report_cred(
ip: rhost,
port: port,
user: user,
password: pass,
service_name: 'sap-managementconsole',
proof: res.body
)
else
vprint_error("#{peer} [SAP] failed to login as '#{user}':'#{pass}'")

2
modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
View File

@ -124,7 +124,7 @@ class Metasploit4 < Msf::Auxiliary
return
else
print_good("[SAP] #{ip}:#{rport} - User '#{datastore['BAPI_USER']}' with password '#{datastore['BAPI_PASSWORD']}' created")
report_auth_info(
report_auth(
ip: ip,
port: rport,
service_name: 'sap',

35
modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb
View File

@ -397,6 +397,33 @@ class Metasploit3 < Msf::Exploit::Remote
create_credential_login(login_data)
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :nonreplayable_hash,
jtr_format: 'md5,raw-md5'
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def exploit
print_status("#{peer} - Checking for a valid node id...")
node_id = get_node
@ -417,6 +444,14 @@ class Metasploit3 < Msf::Exploit::Remote
for i in 0..count_users - 1
user = get_user_data(node_id, i)
report_cred(
ip: rhost,
port: rport,
user: user[0],
password: user[1],
service_name: (ssl ? "https" : "http"),
proof: "salt: #{user[2]}"
)
report_auth_info({
:host => rhost,
:port => rport,

59
modules/post/linux/gather/mount_cifs_creds.rb
View File

@ -47,10 +47,10 @@ class Metasploit3 < Msf::Post
cred = {}
# if the fstab line utilizies the credentials= option, read the credentials from that file
if (fstab_line =~ /\/\/([^\/]+)\/\S+\s+\S+\s+cifs\s+.*/)
host = $1
cred[:host] = $1
# IPs can occur using the ip option, which is a backup/alternative
# to letting UNC resolution do its thing
host = $1 if (fstab_line =~ /ip=([^, ]+)/)
cred[:host] = $1 if (fstab_line =~ /ip=([^, ]+)/)
if (fstab_line =~ /cred(?:entials)?=([^, ]+)/)
file = $1
# skip if we've already parsed this credentials file
@ -58,11 +58,13 @@ class Metasploit3 < Msf::Post
# store it if we haven't
cred_files << file
# parse the credentials
creds << parse_credentials_file(file)
cred.merge!(parse_credentials_file(file))
# if the credentials are directly in /etc/fstab, parse them
elsif (fstab_line =~ /\/\/([^\/]+)\/\S+\s+\S+\s+cifs\s+.*(?:user(?:name)?|pass(?:word)?)=/)
creds << parse_fstab_credentials(fstab_line)
cred.merge!(parse_fstab_credentials(fstab_line))
end
creds << cred
end
end
@ -71,10 +73,15 @@ class Metasploit3 < Msf::Post
creds.compact!
creds.uniq!
creds.each do |cred|
# XXX: currently, you can only report_auth_info on an IP or a valid Host. in our case,
# host[:host] is *not* a Host. Fix this some day.
if (Rex::Socket.dotted_ip?(cred[:host]))
report_auth_info({ :port => 445, :sname => 'smb', :type => 'password', :active => true }.merge(cred))
report_cred(
ip: cred[:host],
port: 445,
service_name: 'smb',
user: cred[:user],
password: cred[:pass],
proof: '/etc/fstab'
)
end
cred_table << [ cred[:user], cred[:pass], cred[:host], cred[:file] ]
end
@ -93,8 +100,37 @@ class Metasploit3 < Msf::Post
end
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :session,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password,
module_fullname: fullname,
session_id: session_db_id,
post_reference_name: self.refname
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
# Parse mount.cifs credentials from +line+, assumed to be a line from /etc/fstab.
# Returns the username+domain and password as a hash, nil if nothing is found.
# Returns the username+domain and password as a hash.
def parse_fstab_credentials(line, file="/etc/fstab")
creds = {}
# get the username option, which comes in one of four ways
@ -123,11 +159,12 @@ class Metasploit3 < Msf::Post
creds[:user] = "#{$1}\\#{creds[:user]}" if (line =~ /dom(?:ain)?=([^, ]+)/)
creds[:file] = file unless (creds.empty?)
(creds.empty? ? nil : creds)
creds
end
# Parse mount.cifs credentials from +file+, returning the username+domain and password
# as a hash, nil if nothing is found.
# as a hash.
def parse_credentials_file(file)
creds = {}
domain = nil
@ -145,6 +182,6 @@ class Metasploit3 < Msf::Post
creds[:user] = "#{domain}\\#{creds[:user]}" if (domain and creds[:user])
creds[:file] = file unless (creds.empty?)
(creds.empty? ? nil : creds)
creds
end
end

125
test/modules/auxiliary/test/report_auth_info.rb
View File

@ -359,7 +359,126 @@ class Metasploit3 < Msf::Auxiliary
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'sap', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_mount_cifs_creds
mod = framework.post.create('linux/gather/mount_cifs_creds')
mock_post_mod_session(mod)
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'smb', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_mysql_enum
mod = framework.auxiliary.create('admin/mysql/mysql_enum')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'mysql', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_jtr_oracle_fast
mod = framework.auxiliary.create('analyze/jtr_oracle_fast')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'oracle', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_vbulletin_vote_sqli_exec
mod = framework.exploits.create('unix/webapp/vbulletin_vote_sqli_exec')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_sap_mgmt_con_brute_login
mod = framework.auxiliary.create('scanner/sap/sap_mgmt_con_brute_login')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_sap_ctc_verb_tampering_user_mgmt
mod = framework.auxiliary.create('scanner/sap/sap_ctc_verb_tampering_user_mgmt')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_scanner_oracle_login
mod = framework.auxiliary.create('scanner/oracle/oracle_login')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'tcp', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF, status: Metasploit::Model::Login::Status::SUCCESSFUL)
end
def test_isqlplus_login
mod = framework.auxiliary.create('scanner/oracle/isqlplus_login')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'tcp', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_dvr_config_disclosure
mod = framework.auxiliary.create('scanner/misc/dvr_config_disclosure')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_lotus_domino_login
mod = framework.auxiliary.create('scanner/lotus/lotus_domino_login')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_openmind_messageos_login
mod = framework.auxiliary.create('scanner/http/openmind_messageos_login')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_dell_idrac
mod = framework.auxiliary.create('scanner/http/dell_idrac')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_windows_deployment_services
mod = framework.auxiliary.create('scanner/dcerpc/windows_deployment_services')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'dcerpc', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_couchdb_login
mod = framework.auxiliary.create('scanner/couchdb/couchdb_login')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'couchdb', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_wp_w3_total_cache_hash_extract
mod = framework.auxiliary.create('gather/wp_w3_total_cache_hash_extract')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_windows_deployment_services_shares
mod = framework.auxiliary.create('gather/windows_deployment_services_shares')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'smb', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_vbulletin_vote_sqli
mod = framework.auxiliary.create('gather/vbulletin_vote_sqli')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_hp_snac_domain_creds
mod = framework.auxiliary.create('gather/hp_snac_domain_creds')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'hp', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_d20pass
mod = framework.auxiliary.create('gather/d20pass')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'hp', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_doliwamp_traversal_creds
mod = framework.auxiliary.create('gather/doliwamp_traversal_creds')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'hp', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_apache_rave_creds
mod = framework.auxiliary.create('gather/apache_rave_creds')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'Apache Rave', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_wordpress_long_password_dos
mod = framework.auxiliary.create('dos/http/wordpress_long_password_dos')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, proof: FAKE_PROOF)
end
def test_modicon_password_recovery
mod = framework.auxiliary.create('admin/scada/modicon_password_recovery')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def test_advantech_webaccess_dbvisitor_sqli
mod = framework.auxiliary.create('admin/scada/advantech_webaccess_dbvisitor_sqli')
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
end
def run
counter_all = 0
@ -389,4 +508,8 @@ class Metasploit3 < Msf::Auxiliary
print_line
end
def mock_post_mod_session(mod)
mod.define_singleton_method(:session_db_id) { 1 }
end
end