From 804db0ff0c8275e6c127be41f42ddc41bde5f1f9 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Wed, 18 Feb 2015 14:50:33 -0600 Subject: [PATCH] add leixcal sorting to methods lexical sort the new methods except for msf module entrypoint methods which should always be at the top --- .../framework/login_scanner/chef_webui.rb | 33 ++- .../framework/login_scanner/zabbix.rb | 35 ++-- .../scanner/http/chef_webui_login.rb | 175 ++++++++-------- .../auxiliary/scanner/http/zabbix_login.rb | 197 +++++++++--------- 4 files changed, 219 insertions(+), 221 deletions(-) diff --git a/lib/metasploit/framework/login_scanner/chef_webui.rb b/lib/metasploit/framework/login_scanner/chef_webui.rb index 22fa4a1513..c917af9954 100644 --- a/lib/metasploit/framework/login_scanner/chef_webui.rb +++ b/lib/metasploit/framework/login_scanner/chef_webui.rb @@ -19,6 +19,22 @@ module Metasploit # @return [String] Cookie value attr_accessor :session_id + # Decides which login routine and returns the results + # + # @param credential [Metasploit::Framework::Credential] The credential object + # @return [Result] + def attempt_login(credential) + result_opts = { credential: credential } + + begin + status = try_login(credential) + result_opts.merge!(status) + rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error => e + result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e) + end + + Result.new(result_opts) + end # (see Base#check_setup) def check_setup @@ -120,23 +136,6 @@ module Metasploit {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body} end - # Decides which login routine and returns the results - # - # @param credential [Metasploit::Framework::Credential] The credential object - # @return [Result] - def attempt_login(credential) - result_opts = { credential: credential } - - begin - status = try_login(credential) - result_opts.merge!(status) - rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error => e - result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e) - end - - Result.new(result_opts) - end - end end end diff --git a/lib/metasploit/framework/login_scanner/zabbix.rb b/lib/metasploit/framework/login_scanner/zabbix.rb index d59defa309..436343bf0e 100644 --- a/lib/metasploit/framework/login_scanner/zabbix.rb +++ b/lib/metasploit/framework/login_scanner/zabbix.rb @@ -20,6 +20,24 @@ module Metasploit # @return [String] Cookie session attr_accessor :zsession + # Decides which login routine and returns the results + # + # @param credential [Metasploit::Framework::Credential] The credential object + # @return [Result] + def attempt_login(credential) + result_opts = { credential: credential } + + begin + status = try_login(credential) + result_opts.merge!(status) + rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error => e + result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e) + end + + Result.new(result_opts) + end + + # (see Base#check_setup) def check_setup begin @@ -111,23 +129,6 @@ module Metasploit {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body} end - # Decides which login routine and returns the results - # - # @param credential [Metasploit::Framework::Credential] The credential object - # @return [Result] - def attempt_login(credential) - result_opts = { credential: credential } - - begin - status = try_login(credential) - result_opts.merge!(status) - rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error => e - result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e) - end - - Result.new(result_opts) - end - end end end diff --git a/modules/auxiliary/scanner/http/chef_webui_login.rb b/modules/auxiliary/scanner/http/chef_webui_login.rb index 338413afa0..df4da2cc24 100644 --- a/modules/auxiliary/scanner/http/chef_webui_login.rb +++ b/modules/auxiliary/scanner/http/chef_webui_login.rb @@ -38,6 +38,93 @@ class Metasploit3 < Msf::Auxiliary ], self.class) end + # + # main + # + def run_host(ip) + init_loginscanner(ip) + msg = @scanner.check_setup + if msg + print_brute :level => :error, :ip => rhost, :msg => msg + return + end + + print_brute :level=>:status, :ip=>rhost, :msg=>("Found Chef Web UI application at #{datastore['TARGETURI']}") + bruteforce(ip) + end + + def bruteforce(ip) + @scanner.scan! do |result| + case result.status + when Metasploit::Model::Login::Status::SUCCESSFUL + print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'" + do_report(ip, rport, result) + :next_user + when Metasploit::Model::Login::Status::DENIED_ACCESS + print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}'" + do_report(ip, rport, result) + :next_user + when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT + if datastore['VERBOSE'] + print_brute :level => :verror, :ip => ip, :msg => "Could not connect" + end + invalidate_login( + address: ip, + port: rport, + protocol: 'tcp', + public: result.credential.public, + private: result.credential.private, + realm_key: result.credential.realm_key, + realm_value: result.credential.realm, + status: result.status + ) + :abort + when Metasploit::Model::Login::Status::INCORRECT + if datastore['VERBOSE'] + print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'" + end + invalidate_login( + address: ip, + port: rport, + protocol: 'tcp', + public: result.credential.public, + private: result.credential.private, + realm_key: result.credential.realm_key, + realm_value: result.credential.realm, + status: result.status + ) + end + end + end + + def do_report(ip, port, result) + service_data = { + address: ip, + port: port, + service_name: 'http', + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + module_fullname: self.fullname, + origin_type: :service, + private_data: result.credential.private, + private_type: :password, + username: result.credential.public, + }.merge(service_data) + + credential_core = create_credential(credential_data) + + login_data = { + core: credential_core, + last_attempted_at: DateTime.now, + status: result.status + }.merge(service_data) + + create_credential_login(login_data) + end + def init_loginscanner(ip) @cred_collection = Metasploit::Framework::CredentialCollection.new( blank_passwords: datastore['BLANK_PASSWORDS'], @@ -71,92 +158,4 @@ class Metasploit3 < Msf::Auxiliary @scanner.ssl_version = datastore['SSLVERSION'] end - def do_report(ip, port, result) - service_data = { - address: ip, - port: port, - service_name: 'http', - protocol: 'tcp', - workspace_id: myworkspace_id - } - - credential_data = { - module_fullname: self.fullname, - origin_type: :service, - private_data: result.credential.private, - private_type: :password, - username: result.credential.public, - }.merge(service_data) - - credential_core = create_credential(credential_data) - - login_data = { - core: credential_core, - last_attempted_at: DateTime.now, - status: result.status - }.merge(service_data) - - create_credential_login(login_data) - end - - def bruteforce(ip) - @scanner.scan! do |result| - case result.status - when Metasploit::Model::Login::Status::SUCCESSFUL - print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'" - do_report(ip, rport, result) - :next_user - when Metasploit::Model::Login::Status::DENIED_ACCESS - print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}'" - do_report(ip, rport, result) - :next_user - when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT - if datastore['VERBOSE'] - print_brute :level => :verror, :ip => ip, :msg => "Could not connect" - end - invalidate_login( - address: ip, - port: rport, - protocol: 'tcp', - public: result.credential.public, - private: result.credential.private, - realm_key: result.credential.realm_key, - realm_value: result.credential.realm, - status: result.status - ) - :abort - when Metasploit::Model::Login::Status::INCORRECT - if datastore['VERBOSE'] - print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'" - end - invalidate_login( - address: ip, - port: rport, - protocol: 'tcp', - public: result.credential.public, - private: result.credential.private, - realm_key: result.credential.realm_key, - realm_value: result.credential.realm, - status: result.status - ) - end - end - end - - - # - # main - # - def run_host(ip) - init_loginscanner(ip) - msg = @scanner.check_setup - if msg - print_brute :level => :error, :ip => rhost, :msg => msg - return - end - - print_brute :level=>:status, :ip=>rhost, :msg=>("Found Chef Web UI application at #{datastore['TARGETURI']}") - bruteforce(ip) - end - end diff --git a/modules/auxiliary/scanner/http/zabbix_login.rb b/modules/auxiliary/scanner/http/zabbix_login.rb index 3356ba9f3a..d23ecf9f12 100644 --- a/modules/auxiliary/scanner/http/zabbix_login.rb +++ b/modules/auxiliary/scanner/http/zabbix_login.rb @@ -39,17 +39,97 @@ class Metasploit3 < Msf::Auxiliary end # - # From the documentation: - # - # "In case of five consecutive failed login attempts, Zabbix interface will pause for 30 - # seconds in order to prevent brute force and dictionary attacks." + # main # + def run_host(ip) + init_loginscanner(ip) + msg = @scanner.check_setup + if msg + print_brute :level => :error, :ip => rhost, :msg => msg + return + end - # Zabbix enables a Guest mode by default that allows access to the dashboard without auth - def is_guest_mode_enabled? - dashboard_uri = normalize_uri(datastore['TARGETURI'] + '/' + 'dashboard.php') - res = send_request_cgi({'uri'=>dashboard_uri}) - !! (res && res.code == 200 && res.body.to_s =~ /Zabbix .*: Dashboard<\/title>/) + print_brute :level=>:status, :ip=>rhost, :msg=>("Found Zabbix version #{@scanner.version}") + + if is_guest_mode_enabled? + print_brute :level => :good, :ip => ip, :msg => "Note: This Zabbix instance has Guest mode enabled" + else + print_brute :level=>:status, :ip=>rhost, :msg=>("Zabbix has disabled Guest mode") + end + + bruteforce(ip) + end + + def bruteforce(ip) + @scanner.scan! do |result| + case result.status + when Metasploit::Model::Login::Status::SUCCESSFUL + print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'" + do_report(ip, rport, result) + :next_user + when Metasploit::Model::Login::Status::DENIED_ACCESS + print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}'" + do_report(ip, rport, result) + :next_user + when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT + if datastore['VERBOSE'] + print_brute :level => :verror, :ip => ip, :msg => "Could not connect" + end + invalidate_login( + address: ip, + port: rport, + protocol: 'tcp', + public: result.credential.public, + private: result.credential.private, + realm_key: result.credential.realm_key, + realm_value: result.credential.realm, + status: result.status + ) + :abort + when Metasploit::Model::Login::Status::INCORRECT + if datastore['VERBOSE'] + print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'" + end + invalidate_login( + address: ip, + port: rport, + protocol: 'tcp', + public: result.credential.public, + private: result.credential.private, + realm_key: result.credential.realm_key, + realm_value: result.credential.realm, + status: result.status + ) + end + end + end + + def do_report(ip, port, result) + service_data = { + address: ip, + port: port, + service_name: 'http', + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + module_fullname: self.fullname, + origin_type: :service, + private_data: result.credential.private, + private_type: :password, + username: result.credential.public, + }.merge(service_data) + + credential_core = create_credential(credential_data) + + login_data = { + core: credential_core, + last_attempted_at: DateTime.now, + status: result.status + }.merge(service_data) + + create_credential_login(login_data) end def init_loginscanner(ip) @@ -85,99 +165,18 @@ class Metasploit3 < Msf::Auxiliary @scanner.ssl_version = datastore['SSLVERSION'] end - def do_report(ip, port, result) - service_data = { - address: ip, - port: port, - service_name: 'http', - protocol: 'tcp', - workspace_id: myworkspace_id - } - - credential_data = { - module_fullname: self.fullname, - origin_type: :service, - private_data: result.credential.private, - private_type: :password, - username: result.credential.public, - }.merge(service_data) - - credential_core = create_credential(credential_data) - - login_data = { - core: credential_core, - last_attempted_at: DateTime.now, - status: result.status - }.merge(service_data) - - create_credential_login(login_data) - end - - def bruteforce(ip) - @scanner.scan! do |result| - case result.status - when Metasploit::Model::Login::Status::SUCCESSFUL - print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'" - do_report(ip, rport, result) - :next_user - when Metasploit::Model::Login::Status::DENIED_ACCESS - print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}'" - do_report(ip, rport, result) - :next_user - when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT - if datastore['VERBOSE'] - print_brute :level => :verror, :ip => ip, :msg => "Could not connect" - end - invalidate_login( - address: ip, - port: rport, - protocol: 'tcp', - public: result.credential.public, - private: result.credential.private, - realm_key: result.credential.realm_key, - realm_value: result.credential.realm, - status: result.status - ) - :abort - when Metasploit::Model::Login::Status::INCORRECT - if datastore['VERBOSE'] - print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'" - end - invalidate_login( - address: ip, - port: rport, - protocol: 'tcp', - public: result.credential.public, - private: result.credential.private, - realm_key: result.credential.realm_key, - realm_value: result.credential.realm, - status: result.status - ) - end - end - end - - # - # main + # From the documentation: + # + # "In case of five consecutive failed login attempts, Zabbix interface will pause for 30 + # seconds in order to prevent brute force and dictionary attacks." # - def run_host(ip) - init_loginscanner(ip) - msg = @scanner.check_setup - if msg - print_brute :level => :error, :ip => rhost, :msg => msg - return - end - print_brute :level=>:status, :ip=>rhost, :msg=>("Found Zabbix version #{@scanner.version}") - - if is_guest_mode_enabled? - print_brute :level => :good, :ip => ip, :msg => "Note: This Zabbix instance has Guest mode enabled" - else - print_brute :level=>:status, :ip=>rhost, :msg=>("Zabbix has disabled Guest mode") - end - - bruteforce(ip) + # Zabbix enables a Guest mode by default that allows access to the dashboard without auth + def is_guest_mode_enabled? + dashboard_uri = normalize_uri(datastore['TARGETURI'] + '/' + 'dashboard.php') + res = send_request_cgi({'uri'=>dashboard_uri}) + !! (res && res.code == 200 && res.body.to_s =~ /<title>Zabbix .*: Dashboard<\/title>/) end end