From c72263e9c3022fd6d532357946c8e97c6d9f53d4 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 17 Jun 2009 20:52:47 +0000 Subject: [PATCH] Adds antoine's tftp brute forcer git-svn-id: file:///home/svn/framework3/trunk@6667 4d416f70-5f16-0410-b530-b9f4589650da --- data/wordlists/tftp.txt | 78 +++++++++++++++++++++ modules/auxiliary/scanner/tftp/tftpbrute.rb | 54 ++++++++++++++ 2 files changed, 132 insertions(+) create mode 100644 data/wordlists/tftp.txt create mode 100644 modules/auxiliary/scanner/tftp/tftpbrute.rb diff --git a/data/wordlists/tftp.txt b/data/wordlists/tftp.txt new file mode 100644 index 0000000000..17274a81f9 --- /dev/null +++ b/data/wordlists/tftp.txt @@ -0,0 +1,78 @@ +000000000000.cfg +000000000000-directory~.xml +323tosip1_1.bin +4601_02_readme_R2_3.txt +4601dbte1_82.bin +4602_02SWSIPreadme_R1_1.txt +4602dbte1_82.bin +4602sbte1_82.bin +4610_20_readme_R2_3.txt +4610_20_readme_SIP_R2_2.txt +4624_12_06readme_1_8_3.txt +4625_readme_2_5.txt +4690_010707.bin +4690_readme_1_7_7.txt +46xxreadme_111405.txt +46xxsettings.txt +46xxupgrade.scr +a01d01b2_3.bin +a02d01b2_3.bin +a10d01b2_3.bin +a20d01a2_3.bin +a20d01b2_3.bin +a25d01a2_5.bin +b01d01b2_3.bin +b02d01b2_3.bin +b10d01b2_3.bin +b20d01a2_3.bin +b20d01b2_3.bin +b25d01a2_5.bin +bbla0_83.bin +bootrom.ld +cisco_util +CP7912010301SIP050608A.sbin +cvt01_2_3.bin +cvt02_2_3.bin +cvt02sw_2_3.bin +def06r1_8_3.bin +def24r1_8_3.bin +dialplan.xml +gkdefault.cfg +infrared.txt +merlin2.pcm +OS79XX.TXT +P003-07-5-00.bin +P003-07-5-00.sbn +P0S3-07-5-00.bin +P0S3-07-5-00.loads +P0S3-07-5-00.sb2 +phbook00e011010455.txt +phone1.cfg +release.xml +RINGLIST.DAT +s10d01b2_2.bin +s20d01b2_2.bin +SEP000F34118045.cnf +SEP001562EA69E8.cnf +SEPDefault.cnf +SIP000F34118045.cnf +SIPinsertMAChere.cnf +SIPinsertMAChere.cnf +sip_4602ap1_1.ebin +sip_4602bt1_1.ebin +sip_4602D01A.txt +sip_4602D02A.txt +sip.cfg +SIPDefault.cnf +sip.ld +sipto323_1_1.ebin +sip.ver +SoundPointIPLocalization +SoundPointIPWelcome.wav +syncinfo.xml +test +test.txt +uip200_463enc.pac +uniden00e011030397.txt +unidencom.txt +XMLDefault.cnf.xml diff --git a/modules/auxiliary/scanner/tftp/tftpbrute.rb b/modules/auxiliary/scanner/tftp/tftpbrute.rb new file mode 100644 index 0000000000..63b1d091ac --- /dev/null +++ b/modules/auxiliary/scanner/tftp/tftpbrute.rb @@ -0,0 +1,54 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'TFTP Brute Forcer', + 'Description' => 'This module is a TFTP filename Brute Forcer.', + 'Author' => 'antoine', + 'Version' => '$Revision$', + 'License' => BSD_LICENSE + ) + + register_options( + [ + Opt::RPORT(69), + OptPath.new('DICTIONARY', [ true, 'The list of filenames', File.join(Msf::Config.install_root, "data", "wordlists", "tftp.txt") ]) + ], self.class) + end + + def run_host(ip) + begin + udp_sock = Rex::Socket::Udp.create() + IO.foreach(datastore['DICTIONARY']) do |filename| + filename.chomp! + pkt = "\x00\x01" + filename + "\x00" + "netascii" + "\x00" + udp_sock.sendto(pkt, ip, rport) + resp = udp_sock.get(1) + if resp and resp.length >= 2 and resp[0, 2] == "\x00\x03" + print_status("Found #{filename} on #{ip}") + end + end + rescue + ensure + udp_sock.close + end + end + +end +