infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update documentation

GSoC/Meterpreter_Web_Console
Jacob Robles 2019-02-19 10:50:14 -06:00
parent e383bc2763
commit 7fa5f56bb8
No known key found for this signature in database
GPG Key ID: 3EC9F18F2B12401C
1 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
documentation/modules/auxiliary/gather/nuuo_cms_bruteforce.md
View File

@ -1,4 +1,6 @@
## Nuuo CMS Session Bruteforce ## Description
Nuuo CMS Session Bruteforce
The NUUO CMS protocol uses session tokens in a similar way to HTTP cookies. As mentioned in the summary, if a USERLOGIN request is sent with a correct username and password, a "User-Session-No" token will be returned. The number returned is composed of 8 digits, so if an attacker wanted to guess it, they would have 10 million possibilities, and would be able to bruteforce it on average after 5 million tries. The NUUO CMS protocol uses session tokens in a similar way to HTTP cookies. As mentioned in the summary, if a USERLOGIN request is sent with a correct username and password, a "User-Session-No" token will be returned. The number returned is composed of 8 digits, so if an attacker wanted to guess it, they would have 10 million possibilities, and would be able to bruteforce it on average after 5 million tries.
@ -41,11 +43,31 @@ Secondly, due to the nature of this application, it is normal to have the softwa
It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received. It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received.
# The following versions were tested: ## Vulnerable Application
[NUUO Central Management Server (CMS): all versions below 2.4.0](d1.nuuo.com/NUUO/CMS/)
- 1.5.2 OK - 1.5.2 OK
- 2.1.0 OK - 2.1.0 OK
- 2.3.0 OK - 2.3.0 OK
## Scenarios
### Tested on Windows 10 Pro x64 running NCS Server v2.4.0
```
msf5 auxiliary(gather/nuuo_cms_bruteforce) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
[*] 172.22.222.200:5180 - Bruteforcing session - this might take a while, go get some coffee!
[*] 172.22.222.200:5180 - Generating 2621440 session tokens
[+] 172.22.222.200:5180 - Found valid user session: 42094216
[*] 172.22.222.200:5180 - Time taken: 1384.588721601991 seconds; total tries 590893
[*] Auxiliary module execution completed
msf5 auxiliary(gather/nuuo_cms_bruteforce) >
```
## References ## References
https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt