Merge branch 'aux-scan-metasploit' of git://github.com/kost/metasploit-framework into kost-aux-scan-metasploit
commit
65ac56a7a7
|
@ -0,0 +1,92 @@
|
|||
##
|
||||
# msf_rpc_login.rb
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/rpc/v10/client'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::AuthBrute
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Metasploit RPC interface Login Utility',
|
||||
'Description' => %q{
|
||||
This module simply attempts to login to a
|
||||
Metasploit RPC interface using a specific
|
||||
user/pass.
|
||||
},
|
||||
'Author' => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(55553),
|
||||
OptString.new('USERNAME', [true, "A specific username to authenticate as. Default is msf", "msf"]),
|
||||
OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]),
|
||||
OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true])
|
||||
], self.class)
|
||||
register_autofilter_ports([3790])
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
begin
|
||||
@rpc = Msf::RPC::Client.new(
|
||||
:host => datastore['rhost'],
|
||||
:port => datastore['rport'],
|
||||
:ssl => datastore['SSL']
|
||||
)
|
||||
rescue => e
|
||||
vprint_error("#{msg} #{datastore['SSL']} Cannot create RPC client : #{e}")
|
||||
return
|
||||
end
|
||||
|
||||
each_user_pass do |user, pass|
|
||||
do_login(user, pass)
|
||||
end
|
||||
end
|
||||
|
||||
def do_login(user='msf', pass='msf')
|
||||
vprint_status("#{msg} - Trying username:'#{user}' with password:'#{pass}'")
|
||||
begin
|
||||
res = @rpc.login(user, pass)
|
||||
if res
|
||||
print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
|
||||
|
||||
report_hash = {
|
||||
:host => datastore['RHOST'],
|
||||
:port => datastore['RPORT'],
|
||||
:sname => 'msf-rpc',
|
||||
:user => user,
|
||||
:pass => pass,
|
||||
:active => true,
|
||||
:type => 'password'}
|
||||
|
||||
report_auth_info(report_hash)
|
||||
@rpc.close
|
||||
return :next_user
|
||||
end
|
||||
rescue => e
|
||||
# vprint_status("#{msg} #{datastore['SSL']} - Bad login #{e}")
|
||||
vprint_status("#{msg} #{datastore['SSL']} - Bad login")
|
||||
@rpc.close
|
||||
return :skip_pass
|
||||
end
|
||||
end
|
||||
|
||||
def msg
|
||||
"#{datastore['RHOST']}:#{datastore['RPORT']} Metasploit RPC -"
|
||||
end
|
||||
end
|
|
@ -0,0 +1,150 @@
|
|||
##
|
||||
# msf_web_login.rb
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::AuthBrute
|
||||
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Metasploit Web interface Login Utility',
|
||||
'Description' => %{
|
||||
This module simply attempts to login to a Metasploit
|
||||
web interface using a specific user/pass.
|
||||
},
|
||||
'Author' => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(3790),
|
||||
OptString.new('URILOGIN', [true, "URI for Metasploit Web login. Default is /login", "/login"]),
|
||||
OptString.new('URIGUESS', [true, "URI for Metasploit Web login. Default is /user_sessions", "/user_sessions"]),
|
||||
OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]),
|
||||
OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true])
|
||||
], self.class)
|
||||
|
||||
register_autofilter_ports([55553])
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => datastore['URILOGIN'],
|
||||
'method' => 'GET'
|
||||
}, 25)
|
||||
http_fingerprint({ :response => res })
|
||||
rescue ::Rex::ConnectionError => e
|
||||
vprint_error("#{msg} #{datastore['URILOGIN']} - #{e}")
|
||||
return
|
||||
end
|
||||
|
||||
if not res
|
||||
vprint_error("#{msg} #{datastore['URILOGIN']} - No response")
|
||||
return
|
||||
end
|
||||
if !(res.code == 200 or res.code == 302)
|
||||
vprint_error("#{msg} Expected 200 HTTP code - not msf web? Got: #{res.code}")
|
||||
return
|
||||
end
|
||||
if res.body !~ /<title>Metasploit<\/title>/
|
||||
vprint_error("#{msg} Expected metasploit page - not msf web interface? #{res.body}")
|
||||
return
|
||||
end
|
||||
|
||||
each_user_pass do |user, pass|
|
||||
do_login(user, pass)
|
||||
end
|
||||
end
|
||||
|
||||
def do_login(user='msf', pass='msf')
|
||||
vprint_status("#{msg} - Trying username:'#{user}' with password:'#{pass}'")
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => datastore['URILOGIN'],
|
||||
'method' => 'GET'
|
||||
}, 25)
|
||||
|
||||
token = ''
|
||||
uisession = ''
|
||||
if res and res.code == 200
|
||||
# extract tokens from cookie
|
||||
res.headers['Set-Cookie'].split(';').each {|c|
|
||||
c.split(',').each {|v|
|
||||
if v.split('=')[0] =~ /token/
|
||||
token = v.split('=')[1]
|
||||
elsif v.split('=')[0] =~ /_ui_session/
|
||||
uisession = v.split('=')[1]
|
||||
end
|
||||
}
|
||||
}
|
||||
# extract authenticity_token from hidden field
|
||||
atoken = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*)"/)[0][0]
|
||||
else
|
||||
print_error("#{msg} Failed to get login cookies, aborting")
|
||||
return :abort
|
||||
end
|
||||
|
||||
# vprint_status("#{msg} '#{user}' with '#{pass}': #{atoken} - #{token} - #{uisession}")
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => datastore['URIGUESS'],
|
||||
'method' => 'POST',
|
||||
'cookie' => "token=#{token}; _ui_session=#{uisession}",
|
||||
'vars_post' =>
|
||||
{
|
||||
'commit' => 'Sign in',
|
||||
'utf8' => "\xE2\x9C\x93",
|
||||
'authenticity_token' => atoken,
|
||||
'user_session[username]' => user,
|
||||
'user_session[password]' => pass
|
||||
}
|
||||
}, 25)
|
||||
|
||||
if not res or res.code != 302
|
||||
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' with code #{res.code}")
|
||||
return :skip_pass
|
||||
end
|
||||
if res.headers['Location'] =~ /\/login/
|
||||
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' with wrong redirect")
|
||||
return :skip_pass
|
||||
else
|
||||
print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
|
||||
|
||||
report_hash = {
|
||||
:host => datastore['RHOST'],
|
||||
:port => datastore['RPORT'],
|
||||
:sname => 'msf-web',
|
||||
:user => user,
|
||||
:pass => pass,
|
||||
:active => true,
|
||||
:type => 'password'}
|
||||
|
||||
report_auth_info(report_hash)
|
||||
return :next_user
|
||||
end
|
||||
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
|
||||
print_error("#{msg} HTTP Connection Failed, Aborting")
|
||||
return :abort
|
||||
end
|
||||
end
|
||||
|
||||
def msg
|
||||
"#{vhost}:#{rport} Metasploit Web -"
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue