infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #8914, refactor auxiliary/admin/http credential storage

4.x
Brent Cook 2018-08-24 13:18:32 -05:00 committed by Metasploit
parent 3c0f3f68f2
commit cca98bce25
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
16 changed files with 121 additions and 459 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
modules/auxiliary/admin/hp/hp_imc_som_create_account.rb
View File

@ -68,32 +68,6 @@ class MetasploitModule < Msf::Auxiliary
return nil
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
print_status("Trying to find the service desk service strong name...")
@ -255,14 +229,16 @@ class MetasploitModule < Msf::Auxiliary
login_url = ssl ? "https://" : "http://"
login_url << "#{rhost}:#{rport}/servicedesk/ServiceDesk.jsp"
report_cred(
ip: rhost,
port: rport,
service_name: (ssl ? "https" : "http"),
user: datastore['USERNAME'],
password: datastore['PASSWORD'],
proof: "#{login_url}\n#{res.body}"
)
connection_details = {
module_fullname: self.fullname,
username: datastore['USERNAME'],
private_data: datastore['PASSWORD'],
private_type: :password,
workspace_id: myworkspace_id,
proof: "#{login_url}\n#{res.body}",
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
print_good("Account #{datastore["USERNAME"]}/#{datastore["PASSWORD"]} created successfully.")
print_status("Use it to log into #{login_url}")

41
modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb
View File

@ -30,34 +30,6 @@ class MetasploitModule < Msf::Auxiliary
)
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")
@ -97,6 +69,19 @@ class MetasploitModule < Msf::Auxiliary
vprint_good("user: #{@user}")
vprint_good("pass: #{pass}")
connection_details = {
module_fullname: self.fullname,
username: @user,
private_data: pass,
private_type: :password,
workspace_id: myworkspace_id,
proof: line,
last_attempted_at: DateTime.now, # kept in refactor may not be valid, obtained but do not attempted here
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
report_cred(
ip: rhost,
port: rport,

46
modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
View File

@ -28,32 +28,6 @@ class MetasploitModule < Msf::Auxiliary
)
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")
@ -91,14 +65,18 @@ class MetasploitModule < Msf::Auxiliary
pass = $1
pass = Rex::Text.decode_base64(pass)
print_good("#{rhost}:#{rport} - Credentials found: #{user} / #{pass}")
report_cred(
ip: rhost,
port: rport,
sname: 'http',
user: user,
password: pass,
proof: line
)
connection_details = {
module_fullname: self.fullname,
username: user,
private_data: pass,
private_type: :password,
workspace_id: myworkspace_id,
proof: line,
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
end
end
end

34
modules/auxiliary/admin/http/kaseya_master_admin.rb
View File

@ -75,30 +75,16 @@ class MetasploitModule < Msf::Auxiliary
end
print_good("Master Administrator account with credentials #{datastore['KASEYA_USER']}:#{datastore['KASEYA_PASS']} created")
service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: datastore['KASEYA_PASS'],
username: datastore['KASEYA_USER']
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Master Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
connection_details = {
module_fullname: self.fullname,
username: datastore['KASEYA_USER'],
private_data: datastore['KASEYA_PASS'],
private_type: :password,
workspace_id: myworkspace_id,
access_level: 'Master Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
end
end

34
modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb
View File

@ -66,29 +66,15 @@ class MetasploitModule < Msf::Auxiliary
end
print_good("Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: datastore['PASSWORD'],
username: datastore['USERNAME']
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
connection_details = {
module_fullname: self.fullname,
username: datastore['USERNAME'],
private_data: datastore['PASSWORD'],
private_type: :password,
workspace_id: myworkspace_id,
access_level: 'Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
end
end

33
modules/auxiliary/admin/http/manageengine_pmp_privesc.rb
View File

@ -239,41 +239,14 @@ class MetasploitModule < Msf::Auxiliary
end
print_status("Reporting Super Administrator credentials...")
report_super_admin_creds(username, password)
store_valid_credentail(user: username, private: password)
print_status("Leaking Password database...")
loot_passwords(cookie_su)
end
def report_super_admin_creds(username, password)
status = Metasploit::Model::Login::Status::SUCCESSFUL
service_data = {
address: rhost,
port: rport,
service_name: 'https',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: username,
username: password
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Super Administrator',
status: status,
last_attempted_at: DateTime.now
}
login_data.merge!(service_data)
create_credential_login(login_data)
def service_details
super.merge({access_level: 'Super Administrator'})
end
def loot_passwords(cookie_admin)

34
modules/auxiliary/admin/http/netgear_auth_download.rb
View File

@ -148,45 +148,13 @@ class MetasploitModule < Msf::Auxiliary
print_good("File saved in: #{path}")
end
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: 'netgear',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
cookie = authenticate
if cookie == nil
fail_with(Failure::Unknown, "#{peer} - Failed to log in with the provided credentials.")
else
print_good("#{peer} - Logged in with #{datastore['USERNAME']}:#{datastore['PASSWORD']} successfully.")
report_cred(
user: datastore['USERNAME'],
password: datastore['PASSWORD'],
proof: cookie
)
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'], proof: cookie) # more consistent service_name and protocol
end
if datastore['FILEPATH'].blank?

27
modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
View File

@ -130,33 +130,14 @@ class MetasploitModule < Msf::Auxiliary
pass = $1
print_good("admin / #{pass} credentials found")
service_data = {
address: rhost,
port: rport,
service_name: 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
connection_details = {
module_fullname: self.fullname,
origin_type: :service,
private_data: pass,
private_type: :password,
username: 'admin'
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
username: 'admin',
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
}.merge(service_details)
create_credential_and_login(connection_details)
end
end

29
modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb
View File

@ -148,33 +148,6 @@ class MetasploitModule < Msf::Auxiliary
return [username, password]
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: 'netgear',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def send_req(timestamp)
begin
query_str = (timestamp == nil ? \
@ -241,7 +214,7 @@ class MetasploitModule < Msf::Auxiliary
if res && res.code == 200
credentials = get_creds
print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"")
report_cred({ 'user' => credentials[0], 'password' => credentials[1] })
store_valid_credential(user: credentials[0], private: credentials[1]) # more consistent service_name and protocol, now supplies ip and port
return
end
end

41
modules/auxiliary/admin/http/nexpose_xxe_file_read.rb
View File

@ -43,36 +43,10 @@ class MetasploitModule < Msf::Auxiliary
])
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_data)
create_credential_login(login_data)
end
def run
user = datastore['USERNAME']
pass = datastore['PASSWORD']
trust_store = datastore['TRUST_STORE']
prot = ssl ? 'https' : 'http'
nsc = Nexpose::Connection.new(rhost, user, pass, rport, nil, nil, trust_store)
@ -80,13 +54,14 @@ class MetasploitModule < Msf::Auxiliary
begin
nsc.login
report_cred(
ip: rhost,
port: rport,
service_name: prot,
user: user,
password: pass
)
connection_details = {
module_fullname: self.fullname,
username: user,
private_data: pass,
private_type: :password,
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
rescue
print_error("Error authenticating, check your credentials")

33
modules/auxiliary/admin/http/sysaid_admin_acct.rb
View File

@ -54,30 +54,17 @@ class MetasploitModule < Msf::Auxiliary
if res && res.code == 200 && res.body.to_s =~ /Error while creating account/
# No way to know whether this worked or not, it always says error
print_status("The new administrator #{datastore['USERNAME']}:#{datastore['PASSWORD']} should be checked manually")
service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: datastore['PASSWORD'],
username: datastore['USERNAME']
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
connection_details = {
module_fullname: self.fullname,
username: datastore['USERNAME'],
private_data: datastore['PASSWORD'],
private_type: :password,
access_level: 'Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
else
print_error("Administrator account creation failed")
end

14
modules/auxiliary/admin/http/sysaid_sql_creds.rb
View File

@ -121,20 +121,12 @@ class MetasploitModule < Msf::Auxiliary
return
end
else
fail_with(Failure::NotVulnerable, "#{peer} - Failed to obtain database credentials, response was: #{res.code}")
fail_with(Failure::NotVulnerable, "#{peer} - Failed to obtain database credentials, response was: #{res ? res.code : 'unknown'}")
end
end
def report_credential_core(cred_opts={})
origin_service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
# use a basic core only since this credential is not known valid for service it was obtained from.
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
@ -142,8 +134,6 @@ class MetasploitModule < Msf::Auxiliary
private_data: cred_opts[:password],
username: cred_opts[:username]
}
credential_data.merge!(origin_service_data)
create_credential(credential_data)
end
end

44
modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb
View File

@ -47,33 +47,6 @@ class MetasploitModule < Msf::Auxiliary
datastore["PASSWORD"]
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
if user == pass
@ -109,14 +82,15 @@ class MetasploitModule < Msf::Auxiliary
if res and res.code == 200 and res.body =~ /Administrator account created/
print_good("Admin account with credentials #{user}:#{pass} successfully created")
report_cred(
ip: rhost,
port: rport,
service_name: 'http',
user: user,
password: pass,
proof: res.body
)
connection_details = {
module_fullname: self.fullname,
username: user,
private_data: pass,
private_type: :password,
status: Metasploit::Model::Login::Status::UNTRIED,
proof: res.body
}.merge(service_details)
create_credential_and_login(connection_details)
else
print_error("Admin account creation failed")
end

40
modules/auxiliary/admin/http/webnms_cred_disclosure.rb
View File

@ -102,7 +102,14 @@ Windows and Linux.
if password && username
plaintext_password = super_redacted_deobfuscation(password)
cred_table << [ username, plaintext_password ]
register_creds(username, plaintext_password)
connection_details = {
module_fullname: self.fullname,
username: username,
private_data: plaintext_password,
private_type: :password,
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
end
}
@ -242,34 +249,7 @@ Windows and Linux.
final
end
def register_creds(username, password)
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
workspace_id: myworkspace_id,
private_data: password,
private_type: :password,
username: username
}
service_data = {
address: rhost,
port: rport,
service_name: 'WebNMS-' + (ssl ? 'HTTPS' : 'HTTP'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED,
workspace_id: myworkspace_id
}
login_data.merge!(service_data)
create_credential_login(login_data)
def service_details
super.merge({service_name: 'WebNMS-' + (ssl ? 'HTTPS' : 'HTTP')}) # this should possibly be removed
end
end

43
modules/auxiliary/admin/http/wp_symposium_sql_injection.rb
View File

@ -63,32 +63,6 @@ class MetasploitModule < Msf::Auxiliary
end
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :nonreplayable_hash,
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
vprint_status("#{peer} - Attempting to connect...")
vprint_status("#{peer} - Trying to retrieve the first user id...")
@ -127,14 +101,15 @@ class MetasploitModule < Msf::Auxiliary
user_email = values[2]
print_good("#{peer} - #{sprintf("%-15s %-34s %s", user_login, user_pass, user_email)}")
report_cred(
ip: rhost,
port: datastore['RPORT'],
service_name: datastore['SSL'] ? 'https' : 'http',
user: user_login,
password: user_pass,
proof: user_email
)
connection_details = {
module_fullname: self.fullname,
username: user_login,
private_data: user_pass,
private_type: :nonreplayable_hash,
status: Metasploit::Model::Login::Status::UNTRIED,
proof: user_email
}.merge(service_details)
create_credential(connection_details)
credentials << "#{user_login},#{user_pass},#{user_email}\n"
end

43
modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb
View File

@ -30,32 +30,6 @@ class MetasploitModule < Msf::Auxiliary
)
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
begin
print_status("Trying to get 'admin' user password ...")
@ -86,14 +60,15 @@ class MetasploitModule < Msf::Auxiliary
admin_password = admin_password_matches[1];
print_good("Password for user 'admin' is: #{admin_password}")
report_cred(
ip: rhost,
port: rport,
service_name: 'ZyXEL GS1510-16',
user: 'admin',
password: admin_password,
proof: res.body
)
connection_details = {
module_fullname: self.fullname,
username: 'admin',
private_data: admin_password,
private_type: :password,
status: Metasploit::Model::Login::Status::UNTRIED,
proof: res.body
}.merge(service_details)
create_credential_and_login(connection_details) # makes service_name more consistent
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - Failed to connect")