Merge branch 'staging/electro_release' into feature/login_scanner/snmp
Conflicts: lib/metasploit/framework/login_scanner/result.rbbug/bundler_fix
commit
e5276d111d
|
@ -0,0 +1,276 @@
|
|||
require 'metasploit/framework/tcp/client'
|
||||
|
||||
module Metasploit
|
||||
module Framework
|
||||
module Ftp
|
||||
module Client
|
||||
include Metasploit::Framework::Tcp::Client
|
||||
|
||||
#
|
||||
# This method establishes an FTP connection to host and port specified by
|
||||
# the 'rhost' and 'rport' methods. After connecting, the banner
|
||||
# message is read in and stored in the 'banner' attribute.
|
||||
#
|
||||
def connect(global = true)
|
||||
fd = super(global)
|
||||
|
||||
@ftpbuff = '' unless @ftpbuff
|
||||
|
||||
# Wait for a banner to arrive...
|
||||
self.banner = recv_ftp_resp(fd)
|
||||
|
||||
# Return the file descriptor to the caller
|
||||
fd
|
||||
end
|
||||
|
||||
#
|
||||
# This method handles establishing datasocket for data channel
|
||||
#
|
||||
def data_connect(mode = nil, nsock = self.sock)
|
||||
if mode
|
||||
res = send_cmd([ 'TYPE' , mode ], true, nsock)
|
||||
return nil if not res =~ /^200/
|
||||
end
|
||||
|
||||
# force datasocket to renegotiate
|
||||
self.datasocket.shutdown if self.datasocket != nil
|
||||
|
||||
res = send_cmd(['PASV'], true, nsock)
|
||||
return nil if not res =~ /^227/
|
||||
|
||||
# 227 Entering Passive Mode (127,0,0,1,196,5)
|
||||
if res =~ /\((\d+)\,(\d+),(\d+),(\d+),(\d+),(\d+)/
|
||||
# convert port to FTP syntax
|
||||
datahost = "#{$1}.#{$2}.#{$3}.#{$4}"
|
||||
dataport = ($5.to_i * 256) + $6.to_i
|
||||
self.datasocket = Rex::Socket::Tcp.create('PeerHost' => datahost, 'PeerPort' => dataport)
|
||||
end
|
||||
self.datasocket
|
||||
end
|
||||
|
||||
#
|
||||
# This method handles disconnecting our data channel
|
||||
#
|
||||
def data_disconnect
|
||||
self.datasocket.shutdown
|
||||
self.datasocket = nil
|
||||
end
|
||||
|
||||
#
|
||||
# Connect and login to the remote FTP server using the credentials
|
||||
# that have been supplied in the exploit options.
|
||||
#
|
||||
def connect_login(user,pass,global = true)
|
||||
ftpsock = connect(global)
|
||||
|
||||
if !(user and pass)
|
||||
return false
|
||||
end
|
||||
|
||||
res = send_user(user, ftpsock)
|
||||
|
||||
if (res !~ /^(331|2)/)
|
||||
return false
|
||||
end
|
||||
|
||||
if (pass)
|
||||
res = send_pass(pass, ftpsock)
|
||||
if (res !~ /^2/)
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
#
|
||||
# This method logs in as the supplied user by transmitting the FTP
|
||||
# 'USER <user>' command.
|
||||
#
|
||||
def send_user(user, nsock = self.sock)
|
||||
raw_send("USER #{user}\r\n", nsock)
|
||||
recv_ftp_resp(nsock)
|
||||
end
|
||||
|
||||
#
|
||||
# This method completes user authentication by sending the supplied
|
||||
# password using the FTP 'PASS <pass>' command.
|
||||
#
|
||||
def send_pass(pass, nsock = self.sock)
|
||||
raw_send("PASS #{pass}\r\n", nsock)
|
||||
recv_ftp_resp(nsock)
|
||||
end
|
||||
|
||||
#
|
||||
# This method sends a QUIT command.
|
||||
#
|
||||
def send_quit(nsock = self.sock)
|
||||
raw_send("QUIT\r\n", nsock)
|
||||
recv_ftp_resp(nsock)
|
||||
end
|
||||
|
||||
#
|
||||
# This method sends one command with zero or more parameters
|
||||
#
|
||||
def send_cmd(args, recv = true, nsock = self.sock)
|
||||
cmd = args.join(" ") + "\r\n"
|
||||
ret = raw_send(cmd, nsock)
|
||||
if (recv)
|
||||
return recv_ftp_resp(nsock)
|
||||
end
|
||||
return ret
|
||||
end
|
||||
|
||||
#
|
||||
# This method transmits the command in args and receives / uploads DATA via data channel
|
||||
# For commands not needing data, it will fall through to the original send_cmd
|
||||
#
|
||||
# For commands that send data only, the return will be the server response.
|
||||
# For commands returning both data and a server response, an array will be returned.
|
||||
#
|
||||
# NOTE: This function always waits for a response from the server.
|
||||
#
|
||||
def send_cmd_data(args, data, mode = 'a', nsock = self.sock)
|
||||
type = nil
|
||||
# implement some aliases for various commands
|
||||
if (args[0] =~ /^DIR$/i || args[0] =~ /^LS$/i)
|
||||
# TODO || args[0] =~ /^MDIR$/i || args[0] =~ /^MLS$/i
|
||||
args[0] = "LIST"
|
||||
type = "get"
|
||||
elsif (args[0] =~ /^GET$/i)
|
||||
args[0] = "RETR"
|
||||
type = "get"
|
||||
elsif (args[0] =~ /^PUT$/i)
|
||||
args[0] = "STOR"
|
||||
type = "put"
|
||||
end
|
||||
|
||||
# fall back if it's not a supported data command
|
||||
if not type
|
||||
return send_cmd(args, true, nsock)
|
||||
end
|
||||
|
||||
# Set the transfer mode and connect to the remove server
|
||||
return nil if not data_connect(mode)
|
||||
|
||||
# Our pending command should have got a connection now.
|
||||
res = send_cmd(args, true, nsock)
|
||||
# make sure could open port
|
||||
return nil unless res =~ /^(150|125) /
|
||||
|
||||
# dispatch to the proper method
|
||||
if (type == "get")
|
||||
# failed listings jsut disconnect..
|
||||
begin
|
||||
data = self.datasocket.get_once(-1, ftp_timeout)
|
||||
rescue ::EOFError
|
||||
data = nil
|
||||
end
|
||||
else
|
||||
sent = self.datasocket.put(data)
|
||||
end
|
||||
|
||||
# close data channel so command channel updates
|
||||
data_disconnect
|
||||
|
||||
# get status of transfer
|
||||
ret = nil
|
||||
if (type == "get")
|
||||
ret = recv_ftp_resp(nsock)
|
||||
ret = [ ret, data ]
|
||||
else
|
||||
ret = recv_ftp_resp(nsock)
|
||||
end
|
||||
|
||||
ret
|
||||
end
|
||||
|
||||
#
|
||||
# This method transmits a FTP command and waits for a response. If one is
|
||||
# received, it is returned to the caller.
|
||||
#
|
||||
def raw_send_recv(cmd, nsock = self.sock)
|
||||
nsock.put(cmd)
|
||||
nsock.get_once(-1, ftp_timeout)
|
||||
end
|
||||
|
||||
#
|
||||
# This method reads an FTP response based on FTP continuation stuff
|
||||
#
|
||||
def recv_ftp_resp(nsock = self.sock)
|
||||
found_end = false
|
||||
resp = ""
|
||||
left = ""
|
||||
if !@ftpbuff.empty?
|
||||
left << @ftpbuff
|
||||
@ftpbuff = ""
|
||||
end
|
||||
while true
|
||||
data = nsock.get_once(-1, ftp_timeout)
|
||||
if not data
|
||||
@ftpbuff << resp
|
||||
@ftpbuff << left
|
||||
return data
|
||||
end
|
||||
|
||||
got = left + data
|
||||
left = ""
|
||||
|
||||
# handle the end w/o newline case
|
||||
enlidx = got.rindex(0x0a.chr)
|
||||
if enlidx != (got.length-1)
|
||||
if not enlidx
|
||||
left << got
|
||||
next
|
||||
else
|
||||
left << got.slice!((enlidx+1)..got.length)
|
||||
end
|
||||
end
|
||||
|
||||
# split into lines
|
||||
rarr = got.split(/\r?\n/)
|
||||
rarr.each do |ln|
|
||||
if not found_end
|
||||
resp << ln
|
||||
resp << "\r\n"
|
||||
if ln.length > 3 and ln[3,1] == ' '
|
||||
found_end = true
|
||||
end
|
||||
else
|
||||
left << ln
|
||||
left << "\r\n"
|
||||
end
|
||||
end
|
||||
if found_end
|
||||
@ftpbuff << left
|
||||
return resp
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# This method transmits a FTP command and does not wait for a response
|
||||
#
|
||||
def raw_send(cmd, nsock = self.sock)
|
||||
nsock.put(cmd)
|
||||
end
|
||||
|
||||
def ftp_timeout
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
|
||||
|
||||
protected
|
||||
|
||||
#
|
||||
# This attribute holds the banner that was read in after a successful call
|
||||
# to connect or connect_login.
|
||||
#
|
||||
attr_accessor :banner, :datasocket
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,238 @@
|
|||
require 'metasploit/framework/ftp/client'
|
||||
require 'metasploit/framework/login_scanner'
|
||||
|
||||
module Metasploit
|
||||
module Framework
|
||||
module LoginScanner
|
||||
|
||||
# This is the LoginScanner class for dealing with FTP.
|
||||
# It is responsible for taking a single target, and a list of credentials
|
||||
# and attempting them. It then saves the results.
|
||||
class FTP
|
||||
include ActiveModel::Validations
|
||||
include Metasploit::Framework::Ftp::Client
|
||||
|
||||
# @!attribute connection_timeout
|
||||
# @return [Fixnum] The timeout in seconds for a single SSH connection
|
||||
attr_accessor :connection_timeout
|
||||
# @!attribute cred_details
|
||||
# @return [Array] An array of Credential objects
|
||||
attr_accessor :cred_details
|
||||
# @!attribute successes
|
||||
# @return [Array] Array of of result objects that failed
|
||||
attr_accessor :failures
|
||||
# @!attribute ftp_timeout
|
||||
# @return [Fixnum] The timeout in seconds to wait for a response to an FTP command
|
||||
attr_accessor :ftp_timeout
|
||||
# @!attribute host
|
||||
# @return [String] The IP address or hostname to connect to
|
||||
attr_accessor :host
|
||||
# @!attribute max_send_size
|
||||
# @return [Fixnum] The max size of the data to encapsulate in a single packet
|
||||
attr_accessor :max_send_size
|
||||
# @!attribute port
|
||||
# @return [Fixnum] The port to connect to
|
||||
attr_accessor :port
|
||||
# @!attribute proxies
|
||||
# @return [String] The proxy directive to use for the socket
|
||||
attr_accessor :proxies
|
||||
# @!attribute send_delay
|
||||
# @return [Fixnum] The delay between sending packets
|
||||
attr_accessor :send_delay
|
||||
# @!attribute ssl
|
||||
# @return [Boolean] Whether the socket should use ssl
|
||||
attr_accessor :ssl
|
||||
# @!attribute ssl_version
|
||||
# @return [String] The version of SSL to implement
|
||||
attr_accessor :ssl_version
|
||||
# @!attribute stop_on_success
|
||||
# @return [Boolean] Whether the scanner should stop when it has found one working Credential
|
||||
attr_accessor :stop_on_success
|
||||
# @!attribute successes
|
||||
# @return [Array] Array of results that successfully logged in
|
||||
attr_accessor :successes
|
||||
|
||||
|
||||
validates :connection_timeout,
|
||||
presence: true,
|
||||
numericality: {
|
||||
only_integer: true,
|
||||
greater_than_or_equal_to: 1
|
||||
}
|
||||
|
||||
validates :cred_details, presence: true
|
||||
|
||||
validates :ftp_timeout,
|
||||
presence: true,
|
||||
numericality: {
|
||||
only_integer: true,
|
||||
greater_than_or_equal_to: 1
|
||||
}
|
||||
|
||||
validates :host, presence: true
|
||||
|
||||
validates :max_send_size,
|
||||
presence: true,
|
||||
numericality: {
|
||||
only_integer: true,
|
||||
greater_than_or_equal_to: 0
|
||||
}
|
||||
|
||||
validates :port,
|
||||
presence: true,
|
||||
numericality: {
|
||||
only_integer: true,
|
||||
greater_than_or_equal_to: 1,
|
||||
less_than_or_equal_to: 65535
|
||||
}
|
||||
|
||||
validates :send_delay,
|
||||
presence: true,
|
||||
numericality: {
|
||||
only_integer: true,
|
||||
greater_than_or_equal_to: 0
|
||||
}
|
||||
|
||||
validates :stop_on_success,
|
||||
inclusion: { in: [true, false] }
|
||||
|
||||
|
||||
validate :host_address_must_be_valid
|
||||
|
||||
validate :validate_cred_details
|
||||
|
||||
# @param attributes [Hash{Symbol => String,nil}]
|
||||
def initialize(attributes={})
|
||||
attributes.each do |attribute, value|
|
||||
public_send("#{attribute}=", value)
|
||||
end
|
||||
self.successes= []
|
||||
self.failures=[]
|
||||
self.max_send_size = 0 if self.max_send_size.nil?
|
||||
self.send_delay = 0 if self.send_delay.nil?
|
||||
end
|
||||
|
||||
# This method attempts a single login with a single credential against the target
|
||||
# @param credential [Credential] The credential object to attmpt to login with
|
||||
# @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
|
||||
def attempt_login(credential)
|
||||
result_options = {
|
||||
private: credential.private,
|
||||
public: credential.public,
|
||||
realm: nil
|
||||
}
|
||||
|
||||
begin
|
||||
success = connect_login(credential.public, credential.private)
|
||||
rescue ::EOFError, Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
|
||||
result_options[:status] = :connection_error
|
||||
success = false
|
||||
end
|
||||
|
||||
|
||||
if success
|
||||
result_options[:status] = :success
|
||||
elsif !(result_options.has_key? :status)
|
||||
result_options[:status] = :failed
|
||||
end
|
||||
|
||||
::Metasploit::Framework::LoginScanner::Result.new(result_options)
|
||||
|
||||
end
|
||||
|
||||
# This method runs all the login attempts against the target.
|
||||
# It calls {attempt_login} once for each credential.
|
||||
# Results are stored in {successes} and {failures}
|
||||
# @return [void] There is no valid return value for this method
|
||||
# @yield [result]
|
||||
# @yieldparam result [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object for the attempt
|
||||
# @yieldreturn [void]
|
||||
def scan!
|
||||
valid!
|
||||
cred_details.each do |credential|
|
||||
result = attempt_login(credential)
|
||||
result.freeze
|
||||
|
||||
yield result if block_given?
|
||||
|
||||
if result.success?
|
||||
successes << result
|
||||
break if stop_on_success
|
||||
else
|
||||
failures << result
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# @raise [Metasploit::Framework::LoginScanner::Invalid] if the attributes are not valid on the scanner
|
||||
def valid!
|
||||
unless valid?
|
||||
raise Metasploit::Framework::LoginScanner::Invalid.new(self)
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
|
||||
# This method validates that the host address is both
|
||||
# of a valid type and is resolveable.
|
||||
# @return [void]
|
||||
def host_address_must_be_valid
|
||||
unless host.kind_of? String
|
||||
errors.add(:host, "must be a string")
|
||||
end
|
||||
begin
|
||||
resolved_host = ::Rex::Socket.getaddress(host, true)
|
||||
if host =~ /^\d{1,3}(\.\d{1,3}){1,3}$/
|
||||
unless host =~ Rex::Socket::MATCH_IPV4
|
||||
errors.add(:host, "could not be resolved")
|
||||
end
|
||||
end
|
||||
host = resolved_host
|
||||
rescue
|
||||
errors.add(:host, "could not be resolved")
|
||||
end
|
||||
end
|
||||
|
||||
def chost
|
||||
'0.0.0.0'
|
||||
end
|
||||
|
||||
def cport
|
||||
0
|
||||
end
|
||||
|
||||
def rhost
|
||||
host
|
||||
end
|
||||
|
||||
def rport
|
||||
port
|
||||
end
|
||||
|
||||
# This method validates that the credentials supplied
|
||||
# are all valid.
|
||||
# @return [void]
|
||||
def validate_cred_details
|
||||
if cred_details.kind_of? Array
|
||||
cred_details.each do |detail|
|
||||
unless detail.kind_of? Metasploit::Framework::LoginScanner::Credential
|
||||
errors.add(:cred_details, "has invalid element #{detail.inspect}")
|
||||
next
|
||||
end
|
||||
unless detail.valid?
|
||||
errors.add(:cred_details, "has invalid element #{detail.inspect}")
|
||||
end
|
||||
end
|
||||
else
|
||||
errors.add(:cred_details, "must be an array")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -5,9 +5,10 @@ module Metasploit
|
|||
module Framework
|
||||
module LoginScanner
|
||||
|
||||
# This is the LoginScanner class for dealing with the Secure Shell protocol.
|
||||
# This is the LoginScanner class for dealing with the Secure Shell protocol and PKI.
|
||||
# It is responsible for taking a single target, and a list of credentials
|
||||
# and attempting them. It then saves the results.
|
||||
# and attempting them. It then saves the results. In this case it is expecting
|
||||
# SSH private keys for the private credential.
|
||||
class SSHKey
|
||||
include ActiveModel::Validations
|
||||
|
||||
|
|
|
@ -0,0 +1,190 @@
|
|||
module Metasploit
|
||||
module Framework
|
||||
module Tcp
|
||||
|
||||
module EvasiveTCP
|
||||
attr_accessor :_send_size, :_send_delay, :evasive
|
||||
|
||||
def denagle
|
||||
begin
|
||||
setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
|
||||
rescue ::Exception
|
||||
end
|
||||
end
|
||||
|
||||
def write(buf, opts={})
|
||||
|
||||
return super(buf, opts) if not @evasive
|
||||
|
||||
ret = 0
|
||||
idx = 0
|
||||
len = @_send_size || buf.length
|
||||
|
||||
while(idx < buf.length)
|
||||
|
||||
if(@_send_delay and idx > 0)
|
||||
::IO.select(nil, nil, nil, @_send_delay)
|
||||
end
|
||||
|
||||
pkt = buf[idx, len]
|
||||
|
||||
res = super(pkt, opts)
|
||||
flush()
|
||||
|
||||
idx += len
|
||||
ret += res if res
|
||||
end
|
||||
ret
|
||||
end
|
||||
end
|
||||
|
||||
module Client
|
||||
|
||||
#
|
||||
# Establishes a TCP connection to the specified RHOST/RPORT
|
||||
#
|
||||
# @see Rex::Socket::Tcp
|
||||
# @see Rex::Socket::Tcp.create
|
||||
def connect(global = true, opts={})
|
||||
|
||||
dossl = false
|
||||
if(opts.has_key?('SSL'))
|
||||
dossl = opts['SSL']
|
||||
else
|
||||
dossl = ssl
|
||||
end
|
||||
|
||||
nsock = Rex::Socket::Tcp.create(
|
||||
'PeerHost' => opts['RHOST'] || rhost,
|
||||
'PeerPort' => (opts['RPORT'] || rport).to_i,
|
||||
'LocalHost' => opts['CHOST'] || chost || "0.0.0.0",
|
||||
'LocalPort' => (opts['CPORT'] || cport || 0).to_i,
|
||||
'SSL' => dossl,
|
||||
'SSLVersion' => opts['SSLVersion'] || ssl_version,
|
||||
'Proxies' => proxies,
|
||||
'Timeout' => (opts['ConnectTimeout'] || connection_timeout || 10).to_i
|
||||
)
|
||||
|
||||
# enable evasions on this socket
|
||||
set_tcp_evasions(nsock)
|
||||
|
||||
# Set this socket to the global socket as necessary
|
||||
self.sock = nsock if (global)
|
||||
|
||||
return nsock
|
||||
end
|
||||
|
||||
# Enable evasions on a given client
|
||||
def set_tcp_evasions(socket)
|
||||
|
||||
if( max_send_size.to_i == 0 and send_delay.to_i == 0)
|
||||
return
|
||||
end
|
||||
|
||||
return if socket.respond_to?('evasive')
|
||||
|
||||
socket.extend(EvasiveTCP)
|
||||
|
||||
if ( max_send_size.to_i > 0)
|
||||
socket._send_size = max_send_size
|
||||
socket.denagle
|
||||
socket.evasive = true
|
||||
end
|
||||
|
||||
if ( send_delay.to_i > 0)
|
||||
socket._send_delay = send_delay
|
||||
socket.evasive = true
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Closes the TCP connection
|
||||
#
|
||||
def disconnect(nsock = self.sock)
|
||||
begin
|
||||
if (nsock)
|
||||
nsock.shutdown
|
||||
nsock.close
|
||||
end
|
||||
rescue IOError
|
||||
end
|
||||
|
||||
if (nsock == sock)
|
||||
self.sock = nil
|
||||
end
|
||||
|
||||
# Remove this socket from the list of sockets created by this exploit
|
||||
remove_socket(nsock)
|
||||
end
|
||||
|
||||
##
|
||||
#
|
||||
# Wrappers for getters
|
||||
#
|
||||
##
|
||||
|
||||
def max_send_size
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
def send_delay
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the target host
|
||||
#
|
||||
def rhost
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the remote port
|
||||
#
|
||||
def rport
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the local host for outgoing connections
|
||||
#
|
||||
def chost
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the local port for outgoing connections
|
||||
#
|
||||
def cport
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the boolean indicating SSL
|
||||
#
|
||||
def ssl
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the string indicating SSLVersion
|
||||
#
|
||||
def ssl_version
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the proxy configuration
|
||||
#
|
||||
def proxies
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
attr_accessor :sock
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,486 @@
|
|||
require 'spec_helper'
|
||||
require 'metasploit/framework/login_scanner/ftp'
|
||||
|
||||
describe Metasploit::Framework::LoginScanner::FTP do
|
||||
let(:public) { 'root' }
|
||||
let(:private) { 'toor' }
|
||||
|
||||
let(:pub_blank) {
|
||||
Metasploit::Framework::LoginScanner::Credential.new(
|
||||
paired: true,
|
||||
public: public,
|
||||
private: ''
|
||||
)
|
||||
}
|
||||
|
||||
let(:pub_pub) {
|
||||
Metasploit::Framework::LoginScanner::Credential.new(
|
||||
paired: true,
|
||||
public: public,
|
||||
private: public
|
||||
)
|
||||
}
|
||||
|
||||
let(:pub_pri) {
|
||||
Metasploit::Framework::LoginScanner::Credential.new(
|
||||
paired: true,
|
||||
public: public,
|
||||
private: private
|
||||
)
|
||||
}
|
||||
|
||||
let(:invalid_detail) {
|
||||
Metasploit::Framework::LoginScanner::Credential.new(
|
||||
paired: true,
|
||||
public: nil,
|
||||
private: nil
|
||||
)
|
||||
}
|
||||
|
||||
let(:detail_group) {
|
||||
[ pub_blank, pub_pub, pub_pri]
|
||||
}
|
||||
|
||||
subject(:ftp_scanner) {
|
||||
described_class.new
|
||||
}
|
||||
|
||||
it { should respond_to :port }
|
||||
it { should respond_to :host }
|
||||
it { should respond_to :cred_details }
|
||||
it { should respond_to :connection_timeout }
|
||||
it { should respond_to :stop_on_success }
|
||||
it { should respond_to :valid! }
|
||||
it { should respond_to :scan! }
|
||||
it { should respond_to :successes }
|
||||
it { should respond_to :failures }
|
||||
|
||||
it { should respond_to :proxies }
|
||||
it { should respond_to :send_delay }
|
||||
it { should respond_to :max_send_size }
|
||||
it { should respond_to :ssl }
|
||||
it { should respond_to :ssl_version }
|
||||
|
||||
|
||||
context 'validations' do
|
||||
context 'port' do
|
||||
|
||||
it 'is not valid for not set' do
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:port]).to include "is not a number"
|
||||
end
|
||||
|
||||
it 'is not valid for a non-number' do
|
||||
ftp_scanner.port = "a"
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:port]).to include "is not a number"
|
||||
end
|
||||
|
||||
it 'is not valid for a floating point' do
|
||||
ftp_scanner.port = 5.76
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:port]).to include "must be an integer"
|
||||
end
|
||||
|
||||
it 'is not valid for a negative number' do
|
||||
ftp_scanner.port = -8
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:port]).to include "must be greater than or equal to 1"
|
||||
end
|
||||
|
||||
it 'is not valid for 0' do
|
||||
ftp_scanner.port = 0
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:port]).to include "must be greater than or equal to 1"
|
||||
end
|
||||
|
||||
it 'is not valid for a number greater than 65535' do
|
||||
ftp_scanner.port = rand(1000) + 65535
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:port]).to include "must be less than or equal to 65535"
|
||||
end
|
||||
|
||||
it 'is valid for a legitimate port number' do
|
||||
ftp_scanner.port = rand(65534) + 1
|
||||
expect(ftp_scanner.errors[:port]).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
context 'host' do
|
||||
|
||||
it 'is not valid for not set' do
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:host]).to include "can't be blank"
|
||||
end
|
||||
|
||||
it 'is not valid for a non-string input' do
|
||||
ftp_scanner.host = 5
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:host]).to include "must be a string"
|
||||
end
|
||||
|
||||
it 'is not valid for an improper IP address' do
|
||||
ftp_scanner.host = '192.168.1.1.5'
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:host]).to include "could not be resolved"
|
||||
end
|
||||
|
||||
it 'is not valid for an incomplete IP address' do
|
||||
ftp_scanner.host = '192.168'
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:host]).to include "could not be resolved"
|
||||
end
|
||||
|
||||
it 'is not valid for an invalid IP address' do
|
||||
ftp_scanner.host = '192.300.675.123'
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:host]).to include "could not be resolved"
|
||||
end
|
||||
|
||||
it 'is not valid for DNS name that cannot be resolved' do
|
||||
ftp_scanner.host = 'nosuchplace.metasploit.com'
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:host]).to include "could not be resolved"
|
||||
end
|
||||
|
||||
it 'is valid for a valid IP address' do
|
||||
ftp_scanner.host = '127.0.0.1'
|
||||
expect(ftp_scanner.errors[:host]).to be_empty
|
||||
end
|
||||
|
||||
it 'is valid for a DNS name it can resolve' do
|
||||
ftp_scanner.host = 'localhost'
|
||||
expect(ftp_scanner.errors[:host]).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
context 'cred_details' do
|
||||
it 'is not valid for not set' do
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:cred_details]).to include "can't be blank"
|
||||
end
|
||||
|
||||
it 'is not valid for a non-array input' do
|
||||
ftp_scanner.cred_details = rand(10)
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:cred_details]).to include "must be an array"
|
||||
end
|
||||
|
||||
it 'is not valid if any of the elements are not a Credential' do
|
||||
ftp_scanner.cred_details = [1,2]
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:cred_details]).to include "has invalid element 1"
|
||||
end
|
||||
|
||||
it 'is not valid if any of the CredDetails are invalid' do
|
||||
ftp_scanner.cred_details = [pub_blank, invalid_detail]
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
end
|
||||
|
||||
it 'is valid if all of the elements are valid' do
|
||||
ftp_scanner.cred_details = [pub_blank, pub_pub, pub_pri]
|
||||
expect(ftp_scanner.errors[:cred_details]).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
context 'connection_timeout' do
|
||||
|
||||
it 'is not valid for not set' do
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:connection_timeout]).to include "is not a number"
|
||||
end
|
||||
|
||||
it 'is not valid for a non-number' do
|
||||
ftp_scanner.connection_timeout = "a"
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:connection_timeout]).to include "is not a number"
|
||||
end
|
||||
|
||||
it 'is not valid for a floating point' do
|
||||
ftp_scanner.connection_timeout = 5.76
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:connection_timeout]).to include "must be an integer"
|
||||
end
|
||||
|
||||
it 'is not valid for a negative number' do
|
||||
ftp_scanner.connection_timeout = -8
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:connection_timeout]).to include "must be greater than or equal to 1"
|
||||
end
|
||||
|
||||
it 'is not valid for 0' do
|
||||
ftp_scanner.connection_timeout = 0
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:connection_timeout]).to include "must be greater than or equal to 1"
|
||||
end
|
||||
|
||||
it 'is valid for a legitimate number' do
|
||||
ftp_scanner.connection_timeout = rand(1000) + 1
|
||||
expect(ftp_scanner.errors[:connection_timeout]).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
context 'ftp_timeout' do
|
||||
|
||||
it 'is not valid for not set' do
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:ftp_timeout]).to include "is not a number"
|
||||
end
|
||||
|
||||
it 'is not valid for a non-number' do
|
||||
ftp_scanner.ftp_timeout = "a"
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:ftp_timeout]).to include "is not a number"
|
||||
end
|
||||
|
||||
it 'is not valid for a floating point' do
|
||||
ftp_scanner.ftp_timeout = 5.76
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:ftp_timeout]).to include "must be an integer"
|
||||
end
|
||||
|
||||
it 'is not valid for a negative number' do
|
||||
ftp_scanner.ftp_timeout = -8
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:ftp_timeout]).to include "must be greater than or equal to 1"
|
||||
end
|
||||
|
||||
it 'is not valid for 0' do
|
||||
ftp_scanner.ftp_timeout = 0
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:ftp_timeout]).to include "must be greater than or equal to 1"
|
||||
end
|
||||
|
||||
it 'is valid for a legitimate number' do
|
||||
ftp_scanner.ftp_timeout = rand(1000) + 1
|
||||
expect(ftp_scanner.errors[:ftp_timeout]).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
context 'send_delay' do
|
||||
it 'is not valid for a non-number' do
|
||||
ftp_scanner.send_delay = "a"
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:send_delay]).to include "is not a number"
|
||||
end
|
||||
|
||||
it 'is not valid for a floating point' do
|
||||
ftp_scanner.send_delay = 5.76
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:send_delay]).to include "must be an integer"
|
||||
end
|
||||
|
||||
it 'is not valid for a negative number' do
|
||||
ftp_scanner.send_delay = -8
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:send_delay]).to include "must be greater than or equal to 0"
|
||||
end
|
||||
|
||||
it 'is valid for a legitimate number' do
|
||||
ftp_scanner.send_delay = rand(1000) + 1
|
||||
expect(ftp_scanner.errors[:send_delay]).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
context 'max_send_size' do
|
||||
it 'is not valid for a non-number' do
|
||||
ftp_scanner.max_send_size = "a"
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:max_send_size]).to include "is not a number"
|
||||
end
|
||||
|
||||
it 'is not valid for a floating point' do
|
||||
ftp_scanner.max_send_size = 5.76
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:max_send_size]).to include "must be an integer"
|
||||
end
|
||||
|
||||
it 'is not valid for a negative number' do
|
||||
ftp_scanner.max_send_size = -8
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:max_send_size]).to include "must be greater than or equal to 0"
|
||||
end
|
||||
|
||||
it 'is valid for a legitimate number' do
|
||||
ftp_scanner.max_send_size = rand(1000) + 1
|
||||
expect(ftp_scanner.errors[:max_send_size]).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
context 'stop_on_success' do
|
||||
|
||||
it 'is not valid for not set' do
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:stop_on_success]).to include 'is not included in the list'
|
||||
end
|
||||
|
||||
it 'is not valid for the string true' do
|
||||
ftp_scanner.stop_on_success = 'true'
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:stop_on_success]).to include 'is not included in the list'
|
||||
end
|
||||
|
||||
it 'is not valid for the string false' do
|
||||
ftp_scanner.stop_on_success = 'false'
|
||||
expect(ftp_scanner).to_not be_valid
|
||||
expect(ftp_scanner.errors[:stop_on_success]).to include 'is not included in the list'
|
||||
end
|
||||
|
||||
it 'is valid for true class' do
|
||||
ftp_scanner.stop_on_success = true
|
||||
expect(ftp_scanner.errors[:stop_on_success]).to be_empty
|
||||
end
|
||||
|
||||
it 'is valid for false class' do
|
||||
ftp_scanner.stop_on_success = false
|
||||
expect(ftp_scanner.errors[:stop_on_success]).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
context '#valid!' do
|
||||
it 'raises a Metasploit::Framework::LoginScanner::Invalid when validations fail' do
|
||||
expect{ftp_scanner.valid!}.to raise_error Metasploit::Framework::LoginScanner::Invalid
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context '#attempt_login' do
|
||||
before(:each) do
|
||||
ftp_scanner.host = '127.0.0.1'
|
||||
ftp_scanner.port = 21
|
||||
ftp_scanner.connection_timeout = 30
|
||||
ftp_scanner.ftp_timeout = 16
|
||||
ftp_scanner.stop_on_success = true
|
||||
ftp_scanner.cred_details = detail_group
|
||||
end
|
||||
|
||||
|
||||
context 'when it fails' do
|
||||
|
||||
it 'returns :connection_error for a Rex::ConnectionError' do
|
||||
Rex::Socket::Tcp.should_receive(:create) { raise Rex::ConnectionError }
|
||||
expect(ftp_scanner.attempt_login(pub_pri).status).to eq :connection_error
|
||||
end
|
||||
|
||||
it 'returns :connection_error for a Rex::AddressInUse' do
|
||||
Rex::Socket::Tcp.should_receive(:create) { raise Rex::AddressInUse }
|
||||
expect(ftp_scanner.attempt_login(pub_pri).status).to eq :connection_error
|
||||
end
|
||||
|
||||
it 'returns :connection_disconnect for a ::EOFError' do
|
||||
Rex::Socket::Tcp.should_receive(:create) { raise ::EOFError }
|
||||
expect(ftp_scanner.attempt_login(pub_pri).status).to eq :connection_error
|
||||
end
|
||||
|
||||
it 'returns :connection_disconnect for a ::Timeout::Error' do
|
||||
Rex::Socket::Tcp.should_receive(:create) { raise ::Timeout::Error }
|
||||
expect(ftp_scanner.attempt_login(pub_pri).status).to eq :connection_error
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
context 'when it succeeds' do
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
context '#scan!' do
|
||||
let(:success) {
|
||||
::Metasploit::Framework::LoginScanner::Result.new(
|
||||
private: public,
|
||||
proof: '',
|
||||
public: public,
|
||||
realm: nil,
|
||||
status: :success
|
||||
)
|
||||
}
|
||||
|
||||
let(:failure_blank) {
|
||||
::Metasploit::Framework::LoginScanner::Result.new(
|
||||
private: '',
|
||||
proof: nil,
|
||||
public: public,
|
||||
realm: nil,
|
||||
status: :failed
|
||||
)
|
||||
}
|
||||
|
||||
let(:failure) {
|
||||
::Metasploit::Framework::LoginScanner::Result.new(
|
||||
private: private,
|
||||
proof: nil,
|
||||
public: public,
|
||||
realm: nil,
|
||||
status: :failed
|
||||
)
|
||||
}
|
||||
|
||||
before(:each) do
|
||||
ftp_scanner.host = '127.0.0.1'
|
||||
ftp_scanner.port = 21
|
||||
ftp_scanner.connection_timeout = 30
|
||||
ftp_scanner.ftp_timeout = 16
|
||||
ftp_scanner.stop_on_success = false
|
||||
ftp_scanner.cred_details = detail_group
|
||||
end
|
||||
|
||||
it 'calls valid! before running' do
|
||||
my_scanner = ftp_scanner
|
||||
my_scanner.should_receive(:scan!).and_call_original
|
||||
my_scanner.scan!
|
||||
end
|
||||
|
||||
it 'call attempt_login once for each cred_detail' do
|
||||
my_scanner = ftp_scanner
|
||||
my_scanner.should_receive(:attempt_login).once.with(pub_blank).and_call_original
|
||||
my_scanner.should_receive(:attempt_login).once.with(pub_pub).and_call_original
|
||||
my_scanner.should_receive(:attempt_login).once.with(pub_pri).and_call_original
|
||||
my_scanner.scan!
|
||||
end
|
||||
|
||||
it 'adds the failed results to the failures attribute' do
|
||||
my_scanner = ftp_scanner
|
||||
my_scanner.should_receive(:attempt_login).once.with(pub_blank).and_return failure_blank
|
||||
my_scanner.should_receive(:attempt_login).once.with(pub_pub).and_return success
|
||||
my_scanner.should_receive(:attempt_login).once.with(pub_pri).and_return failure
|
||||
my_scanner.scan!
|
||||
expect(my_scanner.failures).to include failure_blank
|
||||
expect(my_scanner.failures).to include failure
|
||||
end
|
||||
|
||||
it 'adds the success results to the successes attribute' do
|
||||
my_scanner = ftp_scanner
|
||||
my_scanner.should_receive(:attempt_login).once.with(pub_blank).and_return failure_blank
|
||||
my_scanner.should_receive(:attempt_login).once.with(pub_pub).and_return success
|
||||
my_scanner.should_receive(:attempt_login).once.with(pub_pri).and_return failure
|
||||
my_scanner.scan!
|
||||
expect(my_scanner.successes).to include success
|
||||
end
|
||||
|
||||
context 'when stop_on_success is true' do
|
||||
before(:each) do
|
||||
ftp_scanner.host = '127.0.0.1'
|
||||
ftp_scanner.port = 21
|
||||
ftp_scanner.connection_timeout = 30
|
||||
ftp_scanner.ftp_timeout = 16
|
||||
ftp_scanner.stop_on_success = true
|
||||
ftp_scanner.cred_details = detail_group
|
||||
end
|
||||
|
||||
it 'stops after the first successful login' do
|
||||
my_scanner = ftp_scanner
|
||||
my_scanner.should_receive(:attempt_login).once.with(pub_blank).and_return failure_blank
|
||||
my_scanner.should_receive(:attempt_login).once.with(pub_pub).and_return success
|
||||
my_scanner.should_not_receive(:attempt_login).with(pub_pri)
|
||||
my_scanner.scan!
|
||||
expect(my_scanner.failures).to_not include failure
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue