Land #6305, creds update for owa_login

2016-01-04 10:52:39 -06:00 · 2016-01-04 10:52:39 -06:00 · 58c047200d
parent 9d415dddca db5c69226e
commit 58c047200d
1 changed files with 58 additions and 15 deletions
--- a/modules/auxiliary/scanner/http/owa_login.rb
+++ b/modules/auxiliary/scanner/http/owa_login.rb
@ -28,7 +28,8 @@ class Metasploit3 < Msf::Auxiliary
          'sinn3r',
          'Brandon Knight',
          'Pete (Bokojan) Arzamendi', # Outlook 2013 updates
-          'Nate Power'                # HTTP timing option
+          'Nate Power',                # HTTP timing option
+          'Chapman (R3naissance) Schleiss' # Save username in creds if response is less
        ],
      'License'        => MSF_LICENSE,
      'Actions'        =>
@ -225,10 +226,21 @@ class Metasploit3 < Msf::Auxiliary
      if reason == nil
        headers['Cookie'] = 'PBack=0;' << res.get_cookies
      else
-      # Login didn't work. no point on going on.
+        # Login didn't work. no point in going on, however, check if valid domain account by response time.
+        if elapsed_time <= 1
+          report_cred(
+            ip: datastore['RHOST'],
+            port: datastore['RPORT'],
+            service_name: 'owa',
+            user: user
+          )
+          print_status("#{msg} FAILED LOGIN, BUT USERNAME IS VALID. #{elapsed_time} '#{user}' : '#{pass}': SAVING TO CREDS")
+          return :Skip_pass
+        else
          vprint_error("#{msg} FAILED LOGIN. #{elapsed_time} '#{user}' : '#{pass}' (HTTP redirect with reason #{reason})")
          return :Skip_pass
        end
+      end
    else
       # The authentication info is in the cookies on this response
      cookies = res.get_cookies
@ -261,9 +273,20 @@ class Metasploit3 < Msf::Auxiliary
    end

    if res.redirect?
+      if elapsed_time <= 1
+        report_cred(
+          ip: datastore['RHOST'],
+          port: datastore['RPORT'],
+          service_name: 'owa',
+          user: user
+        )
+        print_status("#{msg} FAILED LOGIN, BUT USERNAME IS VALID. #{elapsed_time} '#{user}' : '#{pass}': SAVING TO CREDS")
+        return :Skip_pass
+      else
        vprint_error("#{msg} FAILED LOGIN. #{elapsed_time} '#{user}' : '#{pass}' (response was a #{res.code} redirect)")
        return :skip_pass
      end
+    end

    if res.body =~ login_check
      print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}'")
@ -275,11 +298,22 @@ class Metasploit3 < Msf::Auxiliary
        password: pass
      )
      return :next_user
+    else
+      if elapsed_time <= 1
+        report_cred(
+          ip: datastore['RHOST'],
+          port: datastore['RPORT'],
+          service_name: 'owa',
+          user: user
+        )
+        print_status("#{msg} FAILED LOGIN, BUT USERNAME IS VALID. #{elapsed_time} '#{user}' : '#{pass}': SAVING TO CREDS")
+        return :Skip_pass
      else
        vprint_error("#{msg} FAILED LOGIN. #{elapsed_time} '#{user}' : '#{pass}' (response body did not match)")
        return :skip_pass
      end
    end
+  end

  def get_ad_domain
    urls = ['aspnet_client',
@ -331,6 +365,8 @@ class Metasploit3 < Msf::Auxiliary
      workspace_id: myworkspace_id
    }

+    # Test if password was passed, if so, add private_data. If not, assuming only username was found
+    if opts.has_key?(:password)
      credential_data = {
        origin_type: :service,
        module_fullname: fullname,
@ -338,6 +374,13 @@ class Metasploit3 < Msf::Auxiliary
        private_data: opts[:password],
        private_type: :password
      }.merge(service_data)
+    else
+      credential_data = {
+        origin_type: :service,
+        module_fullname: fullname,
+        username: opts[:user]
+      }.merge(service_data)
+    end

    login_data = {
      core: create_credential(credential_data),