infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

start refacotirng snmp_login

bug/bundler_fix
David Maloney 2014-07-22 11:46:22 -05:00
parent 0eb4fc0ed1
commit c553fcac73
No known key found for this signature in database
GPG Key ID: DEDBA9DC3A913DB2
2 changed files with 70 additions and 248 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
lib/metasploit/framework/community_string_collection.rb
View File

@ -1,2 +1,69 @@
class CommunityStringCollection
end
require 'metasploit/framework/credential'
module Metasploit
module Framework
# This class is responsible for taking datastore options from the snmp_login module
# and yielding appropriate {Metasploit::Framework::Credential}s to the {Metasploit::Framework::LoginScanner::SNMP}.
# This one has to be different from {credentialCollection} as it will only have a {Metasploit::Framework::Credential#public}
# It may be slightly confusing that the attribues are called password and pass_file, because this is what the legacy
# module used. However, community Strings are now considered more to be public credentials than private ones.
class CommunityStringCollection
# @!attribute pass_file
# Path to a file containing passwords, one per line
# @return [String]
attr_accessor :pass_file
# @!attribute password
# @return [String]
attr_accessor :password
# @!attribute prepended_creds
# List of credentials to be tried before any others
#
# @see #prepend_cred
# @return [Array<Credential>]
attr_accessor :prepended_creds
# @option opts [String] :pass_file See {#pass_file}
# @option opts [String] :password See {#password}
# @option opts [Array<Credential>] :prepended_creds ([]) See {#prepended_creds}
def initialize(opts = {})
opts.each do |attribute, value|
public_send("#{attribute}=", value)
end
self.prepended_creds ||= []
end
# Combines all the provided credential sources into a stream of {Credential}
# objects, yielding them one at a time
#
# @yieldparam credential [Metasploit::Framework::Credential]
# @return [void]
def each
if pass_file.present?
pass_fd = File.open(pass_file, 'r:binary')
pass_fd.each_line do |line|
line.chomp!
yield Metasploit::Framework::Credential.new(public: line, paired: false)
end
end
if password.present?
yield Metasploit::Framework::Credential.new(public: password, paired: false)
end
end
# Add {Credential credentials} that will be yielded by {#each}
#
# @see prepended_creds
# @param cred [Credential]
# @return [self]
def prepend_cred(cred)
prepended_creds.unshift cred
self
end
end
end
end

247
modules/auxiliary/scanner/snmp/snmp_login.rb
View File

@ -49,260 +49,15 @@ class Metasploit3 < Msf::Auxiliary
# Operate on an entire batch of hosts at once
def run_batch(batch)
@found = {}
@tried = []
batch.each do |ip|
begin
udp_sock = nil
idx = 0
# Create an unbound UDP socket if no CHOST is specified, otherwise
# create a UDP socket bound to CHOST (in order to avail of pivoting)
udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil, 'Context' => {'Msf' => framework, 'MsfExploit' => self} })
add_socket(udp_sock)
each_user_pass do |user, pass|
comm = pass
data1 = create_probe_snmp1(comm)
data2 = create_probe_snmp2(comm)
batch.each do |ip|
fq_pass = [ip,pass]
next if @tried.include? fq_pass
@tried << fq_pass
vprint_status "#{ip}:#{datastore['RPORT']} - SNMP - Trying #{(pass.nil? || pass.empty?) ? "<BLANK>" : pass}..."
begin
udp_sock.sendto(data1, ip, datastore['RPORT'].to_i, 0)
udp_sock.sendto(data2, ip, datastore['RPORT'].to_i, 0)
rescue ::Interrupt
raise $!
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
nil
end
if (idx % 10 == 0)
while (r = udp_sock.recvfrom(65535, 0.25) and r[1])
parse_reply(r)
end
end
idx += 1
end
end
idx = 0
while (r = udp_sock.recvfrom(65535, 3) and r[1] and idx < 500)
parse_reply(r)
idx += 1
end
if @found.keys.length > 0
print_status("Validating scan results from #{@found.keys.length} hosts...")
end
# Review all successful communities and determine write access
@found.keys.sort.each do |host|
fake_comm = Rex::Text.rand_text_alphanumeric(8)
anycomm_ro = false
anycomm_rw = false
comms_ro = []
comms_rw = []
finished = false
versions = ["1", "2"]
versions.each do |version|
comms_todo = @found[host].keys.sort
comms_todo.unshift(fake_comm)
comms_todo.each do |comm|
begin
sval = nil
snmp = snmp_client(host, datastore['RPORT'].to_i, version, udp_sock, comm)
resp = snmp.get("sysName.0")
resp.each_varbind { |var| sval = var.value }
next if not sval
svar = ::SNMP::VarBind.new("1.3.6.1.2.1.1.5.0", ::SNMP::OctetString.new(sval))
resp = snmp.set(svar)
if resp.error_status == :noError
comms_rw << comm
print_status("Host #{host} provides READ-WRITE access with community '#{comm}'")
if comm == fake_comm
anycomm_rw = true
finished = true
break
end
else
comms_ro << comm
print_status("Host #{host} provides READ-ONLY access with community '#{comm}'")
if comm == fake_comm
anycomm_ro = true
finished = true
break
end
end
# Used to flag whether this version was compatible
finished = true
rescue ::SNMP::UnsupportedPduTag, ::SNMP::InvalidPduTag, ::SNMP::ParseError,
::SNMP::InvalidErrorStatus, ::SNMP::InvalidTrapVarbind, ::SNMP::InvalidGenericTrap,
::SNMP::BER::OutOfData, ::SNMP::BER::InvalidLength, ::SNMP::BER::InvalidTag,
::SNMP::BER::InvalidObjectId, ::SNMP::MIB::ModuleNotLoadedError,
::SNMP::UnsupportedValueTag
next
rescue ::SNMP::UnsupportedVersion
break
rescue ::SNMP::RequestTimeout
next
end
end
break if finished
end
# Report on the results
comms_ro = ["anything"] if anycomm_ro
comms_rw = ["anything"] if anycomm_rw
comms_rw.each do |comm|
report_auth_info(
:host => host,
:port => datastore['RPORT'].to_i,
:proto => 'udp',
:sname => 'snmp',
:user => '',
:pass => comm,
:duplicate_ok => true,
:active => true,
:source_type => "user_supplied",
:type => "password"
)
end
comms_ro.each do |comm|
report_auth_info(
:host => host,
:port => datastore['RPORT'].to_i,
:proto => 'udp',
:sname => 'snmp',
:user => '',
:pass => comm,
:duplicate_ok => true,
:active => true,
:source_type => "user_supplied",
:type => "password_ro"
)
end
end
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
end
end
#
# Allocate a SNMP client using the existing socket
#
def snmp_client(host, port, version, socket, community)
version = :SNMPv1 if version == "1"
version = :SNMPv2c if version == "2c"
snmp = ::SNMP::Manager.new(
:Host => host,
:Port => port,
:Community => community,
:Version => version,
:Timeout => 1,
:Retries => 2,
:Transport => SNMP::RexUDPTransport,
:Socket => socket
)
end
#
# The response parsers
#
def parse_reply(pkt)
return if not pkt[1]
if(pkt[1] =~ /^::ffff:/)
pkt[1] = pkt[1].sub(/^::ffff:/, '')
end
asn = OpenSSL::ASN1.decode(pkt[0]) rescue nil
return if not asn
snmp_error = asn.value[0].value rescue nil
snmp_comm = asn.value[1].value rescue nil
snmp_data = asn.value[2].value[3].value[0] rescue nil
snmp_oid = snmp_data.value[0].value rescue nil
snmp_info = snmp_data.value[1].value rescue nil
return if not (snmp_error and snmp_comm and snmp_data and snmp_oid and snmp_info)
snmp_info = snmp_info.to_s.gsub(/\s+/, ' ')
inf = snmp_info
com = snmp_comm
if(com)
@found[pkt[1]]||={}
if(not @found[pkt[1]][com])
print_good("SNMP: #{pkt[1]} community string: '#{com}' info: '#{inf}'")
@found[pkt[1]][com] = inf
end
report_service(
:host => pkt[1],
:port => pkt[2],
:proto => 'udp',
:name => 'snmp',
:info => inf,
:state => "open"
)
end
end
def create_probe_snmp1(name)
xid = rand(0x100000000)
pdu =
"\x02\x01\x00" +
"\x04" + [name.length].pack('c') + name +
"\xa0\x1c" +
"\x02\x04" + [xid].pack('N') +
"\x02\x01\x00" +
"\x02\x01\x00" +
"\x30\x0e\x30\x0c\x06\x08\x2b\x06\x01\x02\x01" +
"\x01\x01\x00\x05\x00"
head = "\x30" + [pdu.length].pack('C')
data = head + pdu
data
end
def create_probe_snmp2(name)
xid = rand(0x100000000)
pdu =
"\x02\x01\x01" +
"\x04" + [name.length].pack('c') + name +
"\xa1\x19" +
"\x02\x04" + [xid].pack('N') +
"\x02\x01\x00" +
"\x02\x01\x00" +
"\x30\x0b\x30\x09\x06\x05\x2b\x06\x01\x02\x01" +
"\x05\x00"
head = "\x30" + [pdu.length].pack('C')
data = head + pdu
data
end
end