Merge pull request #47 from rapid7/feature/MSP-9712/winrm-bruteforce
45 merged, steps passing. MSP-9712 #landbug/bundler_fix
Samuel Huckins
commit
d215b8e5b2
|
|
@ -12,10 +12,6 @@ class Metasploit::Framework::CredentialCollection
|
|||
# @return [String]
|
||||
attr_accessor :pass_file
|
||||
|
||||
# @!attribute realm
|
||||
# @return [String]
|
||||
attr_accessor :realm
|
||||
|
||||
# @!attribute password
|
||||
# @return [String]
|
||||
attr_accessor :password
|
||||
|
|
@ -27,6 +23,10 @@ class Metasploit::Framework::CredentialCollection
|
|||
# @return [Array<Credential>]
|
||||
attr_accessor :prepended_creds
|
||||
|
||||
# @!attribute realm
|
||||
# @return [String]
|
||||
attr_accessor :realm
|
||||
|
||||
# @!attribute user_as_pass
|
||||
# Whether each username should be tried as a password for that user
|
||||
# @return [Boolean]
|
||||
|
|
@ -41,8 +41,8 @@ class Metasploit::Framework::CredentialCollection
|
|||
# @return [String]
|
||||
attr_accessor :username
|
||||
|
||||
# @!attribute user_file
|
||||
# Path to a file containing usernames and passwords seperated by a space,
|
||||
# @!attribute userpass_file
|
||||
# Path to a file containing usernames and passwords separated by a space,
|
||||
# one pair per line
|
||||
# @return [String]
|
||||
attr_accessor :userpass_file
|
||||
|
|
|
|||
|
|
@ -60,16 +60,35 @@ class Metasploit3 < Msf::Auxiliary
|
|||
)
|
||||
scanner.scan! do |result|
|
||||
if result.success?
|
||||
cred_hash = {
|
||||
:host => ip,
|
||||
:port => rport,
|
||||
:sname => 'winrm',
|
||||
:pass => result.credential.private,
|
||||
:user => result.credential.public,
|
||||
:source_type => "user_supplied",
|
||||
:active => true
|
||||
|
||||
service_data = {
|
||||
address: ip,
|
||||
port: rport,
|
||||
service_name: 'winrm',
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id
|
||||
}
|
||||
report_auth_info(cred_hash)
|
||||
|
||||
credential_data = {
|
||||
module_fullname: self.fullname,
|
||||
origin_type: :service,
|
||||
private_data: result.credential.private,
|
||||
private_type: :password,
|
||||
username: result.credential.public,
|
||||
realm_key: Metasploit::Credential::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
|
||||
realm_value: result.credential.realm,
|
||||
}.merge(service_data)
|
||||
|
||||
credential_core = create_credential(credential_data)
|
||||
login_data = {
|
||||
access_level: 'Admin',
|
||||
core: credential_core,
|
||||
last_attempted_at: DateTime.now,
|
||||
status: Metasploit::Credential::Login::Status::SUCCESSFUL
|
||||
}.merge(service_data)
|
||||
|
||||
create_credential_login(login_data)
|
||||
|
||||
print_good "#{ip}:#{rport}: Valid credential found: #{result.credential}"
|
||||
else
|
||||
vprint_status "#{ip}:#{rport}: Login failed: #{result.credential}"
|
||||
|
|
|
|||
|
|
@ -5,22 +5,25 @@ describe Metasploit::Framework::CredentialCollection do
|
|||
|
||||
subject(:collection) do
|
||||
described_class.new(
|
||||
username: username,
|
||||
password: password,
|
||||
user_file: user_file,
|
||||
blank_passwords: blank_passwords,
|
||||
pass_file: pass_file,
|
||||
password: password,
|
||||
user_as_pass: user_as_pass,
|
||||
user_file: user_file,
|
||||
username: username,
|
||||
userpass_file: userpass_file,
|
||||
)
|
||||
end
|
||||
|
||||
let(:blank_passwords) { nil }
|
||||
let(:username) { "user" }
|
||||
let(:password) { "pass" }
|
||||
let(:user_file) { nil }
|
||||
let(:pass_file) { nil }
|
||||
let(:user_as_pass) { nil }
|
||||
let(:userpass_file) { nil }
|
||||
|
||||
describe "#each" do
|
||||
|
||||
specify do
|
||||
expect { |b| collection.each(&b) }.to yield_with_args(Metasploit::Framework::Credential)
|
||||
end
|
||||
|
|
@ -81,6 +84,54 @@ describe Metasploit::Framework::CredentialCollection do
|
|||
end
|
||||
end
|
||||
|
||||
context "when given a pass_file and user_file" do
|
||||
let(:password) { nil }
|
||||
let(:username) { nil }
|
||||
let(:user_file) do
|
||||
filename = "user_file"
|
||||
stub_file = StringIO.new("asdf\njkl\n")
|
||||
File.stub(:open).with(filename,/^r/).and_yield stub_file
|
||||
|
||||
filename
|
||||
end
|
||||
let(:pass_file) do
|
||||
filename = "pass_file"
|
||||
stub_file = StringIO.new("asdf\njkl\n")
|
||||
File.stub(:open).with(filename,/^r/).and_return stub_file
|
||||
|
||||
filename
|
||||
end
|
||||
|
||||
specify do
|
||||
expect { |b| collection.each(&b) }.to yield_successive_args(
|
||||
Metasploit::Framework::Credential.new(public: "asdf", private: "asdf"),
|
||||
Metasploit::Framework::Credential.new(public: "asdf", private: "jkl"),
|
||||
Metasploit::Framework::Credential.new(public: "jkl", private: "asdf"),
|
||||
Metasploit::Framework::Credential.new(public: "jkl", private: "jkl"),
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context "when :user_as_pass is true" do
|
||||
let(:user_as_pass) { true }
|
||||
specify do
|
||||
expect { |b| collection.each(&b) }.to yield_successive_args(
|
||||
Metasploit::Framework::Credential.new(public: username, private: password),
|
||||
Metasploit::Framework::Credential.new(public: username, private: username),
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context "when :blank_passwords is true" do
|
||||
let(:blank_passwords) { true }
|
||||
specify do
|
||||
expect { |b| collection.each(&b) }.to yield_successive_args(
|
||||
Metasploit::Framework::Credential.new(public: username, private: password),
|
||||
Metasploit::Framework::Credential.new(public: username, private: ""),
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
describe "#prepend_cred" do
|
||||
|
|
|
|||
Loading…
Reference in New Issue