Fixes to credential handling to downcase usernames whenever they are not case sensitive.

Also report_auth_info now checks to see if a non-case sensitive version of the cred may already exist.
2011-11-14 22:50:52 -08:00 · 2011-11-14 22:50:52 -08:00 · c8142043e9
parent 96d2209ca2
commit c8142043e9
10 changed files with 86 additions and 40 deletions
--- a/data/armitage/armitage.jar
+++ b/data/armitage/armitage.jar
--- a/data/armitage/readme.txt
+++ b/data/armitage/readme.txt
--- a/data/armitage/whatsnew.txt
+++ b/data/armitage/whatsnew.txt
--- a/lib/msf/core/db.rb
+++ b/lib/msf/core/db.rb
@ -976,10 +976,24 @@ class DBManager
 		# If duplicate usernames are okay, find by both user and password (allows
 		# for actual duplicates to get modified updated_at, sources, etc)
 		if duplicate_ok
-			cred = service.creds.find_or_initialize_by_user_and_ptype_and_pass(token[0] || "", ptype, token[1] || "")
+			cred = service.creds.find_by_user_and_ptype_and_pass(token[0] || "", ptype, token[1] || "")
+			unless cred
+				dcu = token[0].downcase
+				cred = service.creds.find_by_user_and_ptype_and_pass( dcu || "", ptype, token[1] || "")
+				unless cred
+					cred = service.creds.find_or_initalize_by_user_and_ptype_and_pass(token[0] || "", ptype, token[1] || "")
+				end
+			end
 		else
 			# Create the cred by username only (so we can change passwords)
-			cred = service.creds.find_or_initialize_by_user_and_ptype(token[0] || "", ptype)
+			cred = service.creds.find_by_user_and_ptype(token[0] || "", ptype)
+			unless cred
+				dcu = token[0].downcase
+				cred = service.creds.find_by_user_and_ptype_and_pass( dcu || "", ptype, token[1] || "")
+				unless cred
+					cred = service.creds.find_or_initialize_by_user_and_ptype(token[0] || "", ptype)
+				end
+			end
 		end

 		# Update with the password
--- a/modules/auxiliary/scanner/ftp/ftp_login.rb
+++ b/modules/auxiliary/scanner/ftp/ftp_login.rb
@ -61,6 +61,16 @@ class Metasploit3 < Msf::Auxiliary
 				next if user.nil?
 				ret = do_login(user,pass)
 				ftp_quit if datastore['SINGLE_SESSION']
+				if ret == :next_user
+					unless user == user.downcase
+						ret = do_login(user.downcase,pass)
+						if ret == :next_user
+							user = user.downcase
+							print_status("Username #{user} is not case sensitive")
+						end
+					end
+					report_ftp_creds(user,pass,@access)
+				end
 				ret
 			}
 			check_anonymous
@ -119,8 +129,7 @@ class Metasploit3 < Msf::Auxiliary
 				pass_response = send_pass(pass, @ftp_sock)
 				if pass_response =~ /^2/
 					print_good("#{rhost}:#{rport} - Successful FTP login for '#{user}':'#{pass}'")
-					access = test_ftp_access(user)
-					report_ftp_creds(user,pass,access)
+					@access = test_ftp_access(user)
 					ftp_quit
 					return :next_user
 				else
--- a/modules/auxiliary/scanner/mssql/mssql_login.rb
+++ b/modules/auxiliary/scanner/mssql/mssql_login.rb
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
 					:host => rhost,
 					:port => rport,
 					:sname => 'mssql',
-					:user => user,
+					:user => user.downcase,
 					:pass => pass,
 					:source_type => "user_supplied",
 					:active => true
--- a/modules/auxiliary/scanner/smb/smb_login.rb
+++ b/modules/auxiliary/scanner/smb/smb_login.rb
@ -70,7 +70,17 @@ class Metasploit3 < Msf::Auxiliary

 		begin
 			each_user_pass do |user, pass|
-				try_user_pass(user, pass)
+				result = try_user_pass(user, pass)
+				if result == :next_user
+					unless user == user.downcase
+						result = try_user_pass(user.downcase, pass)
+						if result == :next_user
+							print_status("Username is case insensitive")
+							user = user.downcase 
+						end
+					end
+					report_creds(user,pass)
+				end
 			end
 		rescue ::Rex::ConnectionError
 			nil
@ -203,36 +213,6 @@ class Metasploit3 < Msf::Auxiliary

 		if(simple.client.auth_user)
 			print_good("#{smbhost} - SUCCESSFUL LOGIN (#{smb_peer_os}) '#{splitname(user)}' : '#{pass}'")
-			report_hash = {
-				:host	=> rhost,
-				:port   => datastore['RPORT'],
-				:sname	=> 'smb',
-				:pass   => pass,
-				:source_type => "user_supplied",
-				:active => true
-			}
-			if accepts_bogus_domains? rhost
-				if datastore["PRESERVE_DOMAINS"]
-					d,u = domain_username_split(user)
-					report_hash[:user] = u
-				else
-					report_hash[:user] = "#{datastore["SMBUser"]}"
-				end
-			else
-				if datastore["PRESERVE_DOMAINS"]
-					d,u = domain_username_split(user)
-					report_hash[:user] = "#{datastore["SMBDomain"]}/#{u}"
-				else
-					report_hash[:user] = "#{datastore["SMBDomain"]}/#{datastore["SMBUser"]}"
-				end
-			end
-
-			if pass =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
-				report_hash.merge!({:type => 'smb_hash'})
-			else
-				report_hash.merge!({:type => 'password'})
-			end
-			report_auth_info(report_hash)
 		else
 			# Samba has two interesting behaviors:
 			# 1) Invalid users receive a guest login
@ -250,5 +230,40 @@ class Metasploit3 < Msf::Auxiliary
 		return :next_user
 	end

+	def report_creds(user,pass)
+		
+		report_hash = {
+			:host	=> rhost,
+			:port   => datastore['RPORT'],
+			:sname	=> 'smb',
+			:pass   => pass,
+			:source_type => "user_supplied",
+			:active => true
+		}
+		if accepts_bogus_domains? rhost
+			if datastore["PRESERVE_DOMAINS"]
+				d,u = domain_username_split(user)
+				report_hash[:user] = u
+			else
+				report_hash[:user] = "#{datastore["SMBUser"]}"
+			end
+		else
+			if datastore["PRESERVE_DOMAINS"]
+				d,u = domain_username_split(user)
+				report_hash[:user] = "#{datastore["SMBDomain"]}/#{u}"
+			else
+				report_hash[:user] = "#{datastore["SMBDomain"]}/#{datastore["SMBUser"]}"
+			end
+		end
+
+		if pass =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
+			report_hash.merge!({:type => 'smb_hash'})
+		else
+			report_hash.merge!({:type => 'password'})
+		end
+		report_auth_info(report_hash)
+	end
+
+
 end

--- a/modules/auxiliary/scanner/telnet/telnet_login.rb
+++ b/modules/auxiliary/scanner/telnet/telnet_login.rb
@ -89,6 +89,7 @@ class Metasploit3 < Msf::Auxiliary
 		case ret
 		when :no_auth_required
 			print_good "#{rhost}:#{rport} Telnet - No authentication required!"
+			report_telnet('','',@trace)
 			return :abort
 		when :no_pass_prompt
 			vprint_status "#{rhost}:#{rport} Telnet - Skipping '#{user}' due to missing password prompt"
@ -102,6 +103,15 @@ class Metasploit3 < Msf::Auxiliary
 		when :skip_user
 			vprint_status "#{rhost}:#{rport} Telnet - Skipping disallowed user '#{user}' for subsequent requests"
 			return :skip_user
+		when :success
+			unless user == user.downcase
+				case_ret = do_login(user.downcase,pass)
+				if case_ret == :success
+					user= user.downcase
+					print_status("Username #{user} is case insensitive")
+				end
+			end
+			report_telnet(user,pass,@trace)
 		else
 			if login_succeeded?
 				start_telnet_session(rhost,rport,user,pass)
@ -140,7 +150,6 @@ class Metasploit3 < Msf::Auxiliary
 		end

 		if login_succeeded?
-			report_telnet('','',@trace)
 			return :no_auth_required
 		end

@ -179,7 +188,6 @@ class Metasploit3 < Msf::Auxiliary
 			vprint_status("#{rhost}:#{rport} Result: #{@recvd.gsub(/[\r\n\e\b\a]/, ' ')}")

 			if login_succeeded?
-				report_telnet(user,pass,@trace)
 				return :success
 			else
 				self.sock.close unless self.sock.closed?
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				:host	=> datastore['RHOST'],
 				:port   => datastore['RPORT'],
 				:sname	=> 'smb',
-				:user	=> datastore['SMBUser'],
+				:user	=> datastore['SMBUser'].downcase,
 				:pass	=> datastore['SMBPass'],
 				:active => true
 			}
--- a/modules/post/windows/gather/hashdump.rb
+++ b/modules/post/windows/gather/hashdump.rb
@ -81,7 +81,7 @@ class Metasploit3 < Msf::Post
 					:host  => session.sock.peerhost,
 					:port  => 445,
 					:sname => 'smb',
-					:user  => users[rid][:Name],
+					:user  => users[rid][:Name].downcase,
 					:pass  => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
 					:type  => "smb_hash"
 				)