diff --git a/data/armitage/armitage.jar b/data/armitage/armitage.jar old mode 100644 new mode 100755 diff --git a/data/armitage/readme.txt b/data/armitage/readme.txt old mode 100644 new mode 100755 diff --git a/data/armitage/whatsnew.txt b/data/armitage/whatsnew.txt old mode 100644 new mode 100755 diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index e31a10a701..36c324028a 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -976,10 +976,24 @@ class DBManager # If duplicate usernames are okay, find by both user and password (allows # for actual duplicates to get modified updated_at, sources, etc) if duplicate_ok - cred = service.creds.find_or_initialize_by_user_and_ptype_and_pass(token[0] || "", ptype, token[1] || "") + cred = service.creds.find_by_user_and_ptype_and_pass(token[0] || "", ptype, token[1] || "") + unless cred + dcu = token[0].downcase + cred = service.creds.find_by_user_and_ptype_and_pass( dcu || "", ptype, token[1] || "") + unless cred + cred = service.creds.find_or_initalize_by_user_and_ptype_and_pass(token[0] || "", ptype, token[1] || "") + end + end else # Create the cred by username only (so we can change passwords) - cred = service.creds.find_or_initialize_by_user_and_ptype(token[0] || "", ptype) + cred = service.creds.find_by_user_and_ptype(token[0] || "", ptype) + unless cred + dcu = token[0].downcase + cred = service.creds.find_by_user_and_ptype_and_pass( dcu || "", ptype, token[1] || "") + unless cred + cred = service.creds.find_or_initialize_by_user_and_ptype(token[0] || "", ptype) + end + end end # Update with the password diff --git a/modules/auxiliary/scanner/ftp/ftp_login.rb b/modules/auxiliary/scanner/ftp/ftp_login.rb index 29969e724d..581fbdbc64 100644 --- a/modules/auxiliary/scanner/ftp/ftp_login.rb +++ b/modules/auxiliary/scanner/ftp/ftp_login.rb @@ -61,6 +61,16 @@ class Metasploit3 < Msf::Auxiliary next if user.nil? ret = do_login(user,pass) ftp_quit if datastore['SINGLE_SESSION'] + if ret == :next_user + unless user == user.downcase + ret = do_login(user.downcase,pass) + if ret == :next_user + user = user.downcase + print_status("Username #{user} is not case sensitive") + end + end + report_ftp_creds(user,pass,@access) + end ret } check_anonymous @@ -119,8 +129,7 @@ class Metasploit3 < Msf::Auxiliary pass_response = send_pass(pass, @ftp_sock) if pass_response =~ /^2/ print_good("#{rhost}:#{rport} - Successful FTP login for '#{user}':'#{pass}'") - access = test_ftp_access(user) - report_ftp_creds(user,pass,access) + @access = test_ftp_access(user) ftp_quit return :next_user else diff --git a/modules/auxiliary/scanner/mssql/mssql_login.rb b/modules/auxiliary/scanner/mssql/mssql_login.rb index 6305095755..d3a92de489 100644 --- a/modules/auxiliary/scanner/mssql/mssql_login.rb +++ b/modules/auxiliary/scanner/mssql/mssql_login.rb @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary :host => rhost, :port => rport, :sname => 'mssql', - :user => user, + :user => user.downcase, :pass => pass, :source_type => "user_supplied", :active => true diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index ac82a58215..5f3a8faaf3 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -70,7 +70,17 @@ class Metasploit3 < Msf::Auxiliary begin each_user_pass do |user, pass| - try_user_pass(user, pass) + result = try_user_pass(user, pass) + if result == :next_user + unless user == user.downcase + result = try_user_pass(user.downcase, pass) + if result == :next_user + print_status("Username is case insensitive") + user = user.downcase + end + end + report_creds(user,pass) + end end rescue ::Rex::ConnectionError nil @@ -203,36 +213,6 @@ class Metasploit3 < Msf::Auxiliary if(simple.client.auth_user) print_good("#{smbhost} - SUCCESSFUL LOGIN (#{smb_peer_os}) '#{splitname(user)}' : '#{pass}'") - report_hash = { - :host => rhost, - :port => datastore['RPORT'], - :sname => 'smb', - :pass => pass, - :source_type => "user_supplied", - :active => true - } - if accepts_bogus_domains? rhost - if datastore["PRESERVE_DOMAINS"] - d,u = domain_username_split(user) - report_hash[:user] = u - else - report_hash[:user] = "#{datastore["SMBUser"]}" - end - else - if datastore["PRESERVE_DOMAINS"] - d,u = domain_username_split(user) - report_hash[:user] = "#{datastore["SMBDomain"]}/#{u}" - else - report_hash[:user] = "#{datastore["SMBDomain"]}/#{datastore["SMBUser"]}" - end - end - - if pass =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/ - report_hash.merge!({:type => 'smb_hash'}) - else - report_hash.merge!({:type => 'password'}) - end - report_auth_info(report_hash) else # Samba has two interesting behaviors: # 1) Invalid users receive a guest login @@ -250,5 +230,40 @@ class Metasploit3 < Msf::Auxiliary return :next_user end + def report_creds(user,pass) + + report_hash = { + :host => rhost, + :port => datastore['RPORT'], + :sname => 'smb', + :pass => pass, + :source_type => "user_supplied", + :active => true + } + if accepts_bogus_domains? rhost + if datastore["PRESERVE_DOMAINS"] + d,u = domain_username_split(user) + report_hash[:user] = u + else + report_hash[:user] = "#{datastore["SMBUser"]}" + end + else + if datastore["PRESERVE_DOMAINS"] + d,u = domain_username_split(user) + report_hash[:user] = "#{datastore["SMBDomain"]}/#{u}" + else + report_hash[:user] = "#{datastore["SMBDomain"]}/#{datastore["SMBUser"]}" + end + end + + if pass =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/ + report_hash.merge!({:type => 'smb_hash'}) + else + report_hash.merge!({:type => 'password'}) + end + report_auth_info(report_hash) + end + + end diff --git a/modules/auxiliary/scanner/telnet/telnet_login.rb b/modules/auxiliary/scanner/telnet/telnet_login.rb index 5f2d514e7e..1400ffa12a 100644 --- a/modules/auxiliary/scanner/telnet/telnet_login.rb +++ b/modules/auxiliary/scanner/telnet/telnet_login.rb @@ -89,6 +89,7 @@ class Metasploit3 < Msf::Auxiliary case ret when :no_auth_required print_good "#{rhost}:#{rport} Telnet - No authentication required!" + report_telnet('','',@trace) return :abort when :no_pass_prompt vprint_status "#{rhost}:#{rport} Telnet - Skipping '#{user}' due to missing password prompt" @@ -102,6 +103,15 @@ class Metasploit3 < Msf::Auxiliary when :skip_user vprint_status "#{rhost}:#{rport} Telnet - Skipping disallowed user '#{user}' for subsequent requests" return :skip_user + when :success + unless user == user.downcase + case_ret = do_login(user.downcase,pass) + if case_ret == :success + user= user.downcase + print_status("Username #{user} is case insensitive") + end + end + report_telnet(user,pass,@trace) else if login_succeeded? start_telnet_session(rhost,rport,user,pass) @@ -140,7 +150,6 @@ class Metasploit3 < Msf::Auxiliary end if login_succeeded? - report_telnet('','',@trace) return :no_auth_required end @@ -179,7 +188,6 @@ class Metasploit3 < Msf::Auxiliary vprint_status("#{rhost}:#{rport} Result: #{@recvd.gsub(/[\r\n\e\b\a]/, ' ')}") if login_succeeded? - report_telnet(user,pass,@trace) return :success else self.sock.close unless self.sock.closed? diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb index 6d9d151d3e..27e3b6caf8 100644 --- a/modules/exploits/windows/smb/psexec.rb +++ b/modules/exploits/windows/smb/psexec.rb @@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote :host => datastore['RHOST'], :port => datastore['RPORT'], :sname => 'smb', - :user => datastore['SMBUser'], + :user => datastore['SMBUser'].downcase, :pass => datastore['SMBPass'], :active => true } diff --git a/modules/post/windows/gather/hashdump.rb b/modules/post/windows/gather/hashdump.rb index 2fc36806bd..9e1aeb4728 100644 --- a/modules/post/windows/gather/hashdump.rb +++ b/modules/post/windows/gather/hashdump.rb @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Post :host => session.sock.peerhost, :port => 445, :sname => 'smb', - :user => users[rid][:Name], + :user => users[rid][:Name].downcase, :pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0], :type => "smb_hash" )