refactor auxiliary/admin/http credential storage

GSoC/Meterpreter_Web_Console
Jeffrey Martin 2017-05-22 23:59:02 -05:00
parent b7b1995238
commit eaca873112
No known key found for this signature in database
GPG Key ID: 0CD9BBC2AF15F171
16 changed files with 121 additions and 461 deletions

View File

@ -69,32 +69,6 @@ class MetasploitModule < Msf::Auxiliary
return nil return nil
end end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run def run
print_status("Trying to find the service desk service strong name...") print_status("Trying to find the service desk service strong name...")
@ -256,14 +230,16 @@ class MetasploitModule < Msf::Auxiliary
login_url = ssl ? "https://" : "http://" login_url = ssl ? "https://" : "http://"
login_url << "#{rhost}:#{rport}/servicedesk/ServiceDesk.jsp" login_url << "#{rhost}:#{rport}/servicedesk/ServiceDesk.jsp"
report_cred( connection_details = {
ip: rhost, module_fullname: self.fullname,
port: rport, username: datastore['USERNAME'],
service_name: (ssl ? "https" : "http"), private_data: datastore['PASSWORD'],
user: datastore['USERNAME'], private_type: :password,
password: datastore['PASSWORD'], workspace_id: myworkspace_id,
proof: "#{login_url}\n#{res.body}" proof: "#{login_url}\n#{res.body}",
) status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
print_good("Account #{datastore["USERNAME"]}/#{datastore["PASSWORD"]} created successfully.") print_good("Account #{datastore["USERNAME"]}/#{datastore["PASSWORD"]} created successfully.")
print_status("Use it to log into #{login_url}") print_status("Use it to log into #{login_url}")

View File

@ -31,35 +31,6 @@ class MetasploitModule < Msf::Auxiliary
) )
end end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run def run
vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device") vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")
@ -99,6 +70,19 @@ class MetasploitModule < Msf::Auxiliary
vprint_good("user: #{@user}") vprint_good("user: #{@user}")
vprint_good("pass: #{pass}") vprint_good("pass: #{pass}")
connection_details = {
module_fullname: self.fullname,
username: @user,
private_data: pass,
private_type: :password,
workspace_id: myworkspace_id,
proof: line,
last_attempted_at: DateTime.now, # kept in refactor may not be valid, obtained but do not attempted here
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
report_cred( report_cred(
ip: rhost, ip: rhost,
port: rport, port: rport,

View File

@ -29,33 +29,6 @@ class MetasploitModule < Msf::Auxiliary
) )
end end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run def run
vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device") vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")
@ -93,14 +66,19 @@ class MetasploitModule < Msf::Auxiliary
pass = $1 pass = $1
pass = Rex::Text.decode_base64(pass) pass = Rex::Text.decode_base64(pass)
print_good("#{rhost}:#{rport} - Credentials found: #{user} / #{pass}") print_good("#{rhost}:#{rport} - Credentials found: #{user} / #{pass}")
report_cred(
ip: rhost, connection_details = {
port: rport, module_fullname: self.fullname,
sname: 'http', username: user,
user: user, private_data: pass,
password: pass, private_type: :password,
proof: line workspace_id: myworkspace_id,
) proof: line,
last_attempted_at: DateTime.now, # kept in refactor may not be valid, obtained but do not attempted here
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
end end
end end
end end

View File

@ -76,30 +76,16 @@ class MetasploitModule < Msf::Auxiliary
end end
print_good("Master Administrator account with credentials #{datastore['KASEYA_USER']}:#{datastore['KASEYA_PASS']} created") print_good("Master Administrator account with credentials #{datastore['KASEYA_USER']}:#{datastore['KASEYA_PASS']} created")
service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = { connection_details = {
origin_type: :service,
module_fullname: self.fullname, module_fullname: self.fullname,
private_type: :password, username: datastore['KASEYA_USER'],
private_data: datastore['KASEYA_PASS'], private_data: datastore['KASEYA_PASS'],
username: datastore['KASEYA_USER'] private_type: :password,
} workspace_id: myworkspace_id,
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Master Administrator', access_level: 'Master Administrator',
status: Metasploit::Model::Login::Status::UNTRIED status: Metasploit::Model::Login::Status::UNTRIED
} }.merge(service_details)
login_data.merge!(service_data) create_credential_and_login(connection_details)
create_credential_login(login_data)
end end
end end

View File

@ -67,29 +67,15 @@ class MetasploitModule < Msf::Auxiliary
end end
print_good("Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}") print_good("Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
service_data = { connection_details = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname, module_fullname: self.fullname,
private_type: :password, username: datastore['USERNAME'],
private_data: datastore['PASSWORD'], private_data: datastore['PASSWORD'],
username: datastore['USERNAME'] private_type: :password,
} workspace_id: myworkspace_id,
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Administrator', access_level: 'Administrator',
status: Metasploit::Model::Login::Status::UNTRIED status: Metasploit::Model::Login::Status::UNTRIED
} }.merge(service_details)
login_data.merge!(service_data) create_credential_and_login(connection_details)
create_credential_login(login_data)
end end
end end

View File

@ -240,41 +240,14 @@ class MetasploitModule < Msf::Auxiliary
end end
print_status("Reporting Super Administrator credentials...") print_status("Reporting Super Administrator credentials...")
report_super_admin_creds(username, password) store_valid_credentail(user: username, private: password)
print_status("Leaking Password database...") print_status("Leaking Password database...")
loot_passwords(cookie_su) loot_passwords(cookie_su)
end end
def report_super_admin_creds(username, password) def service_details
status = Metasploit::Model::Login::Status::SUCCESSFUL super.merge({access_level: 'Super Administrator'})
service_data = {
address: rhost,
port: rport,
service_name: 'https',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: username,
username: password
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Super Administrator',
status: status,
last_attempted_at: DateTime.now
}
login_data.merge!(service_data)
create_credential_login(login_data)
end end
def loot_passwords(cookie_admin) def loot_passwords(cookie_admin)

View File

@ -149,45 +149,13 @@ class MetasploitModule < Msf::Auxiliary
print_good("File saved in: #{path}") print_good("File saved in: #{path}")
end end
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: 'netgear',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run def run
cookie = authenticate cookie = authenticate
if cookie == nil if cookie == nil
fail_with(Failure::Unknown, "#{peer} - Failed to log in with the provided credentials.") fail_with(Failure::Unknown, "#{peer} - Failed to log in with the provided credentials.")
else else
print_good("#{peer} - Logged in with #{datastore['USERNAME']}:#{datastore['PASSWORD']} successfully.") print_good("#{peer} - Logged in with #{datastore['USERNAME']}:#{datastore['PASSWORD']} successfully.")
report_cred( store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'], proof: cookie) # more consistent service_name and protocol
user: datastore['USERNAME'],
password: datastore['PASSWORD'],
proof: cookie
)
end end
if datastore['FILEPATH'].blank? if datastore['FILEPATH'].blank?

View File

@ -131,33 +131,14 @@ class MetasploitModule < Msf::Auxiliary
pass = $1 pass = $1
print_good("admin / #{pass} credentials found") print_good("admin / #{pass} credentials found")
service_data = { connection_details = {
address: rhost,
port: rport,
service_name: 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname, module_fullname: self.fullname,
origin_type: :service,
private_data: pass, private_data: pass,
private_type: :password, private_type: :password,
username: 'admin' username: 'admin',
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED status: Metasploit::Model::Login::Status::UNTRIED
} }.merge(service_details)
login_data.merge!(service_data) create_credential_and_login(connection_details)
create_credential_login(login_data)
end end
end end

View File

@ -149,33 +149,6 @@ class MetasploitModule < Msf::Auxiliary
return [username, password] return [username, password]
end end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: 'netgear',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def send_req(timestamp) def send_req(timestamp)
begin begin
query_str = (timestamp == nil ? \ query_str = (timestamp == nil ? \
@ -242,7 +215,7 @@ class MetasploitModule < Msf::Auxiliary
if res && res.code == 200 if res && res.code == 200
credentials = get_creds credentials = get_creds
print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"") print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"")
report_cred({ 'user' => credentials[0], 'password' => credentials[1] }) store_valid_credential(user: credentials[0], private: credentials[1]) # more consistent service_name and protocol, now supplies ip and port
return return
end end
end end

View File

@ -44,37 +44,10 @@ class MetasploitModule < Msf::Auxiliary
]) ])
end end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_data)
create_credential_login(login_data)
end
def run def run
user = datastore['USERNAME'] user = datastore['USERNAME']
pass = datastore['PASSWORD'] pass = datastore['PASSWORD']
trust_store = datastore['TRUST_STORE'] trust_store = datastore['TRUST_STORE']
prot = ssl ? 'https' : 'http'
nsc = Nexpose::Connection.new(rhost, user, pass, rport, nil, nil, trust_store) nsc = Nexpose::Connection.new(rhost, user, pass, rport, nil, nil, trust_store)
@ -82,13 +55,14 @@ class MetasploitModule < Msf::Auxiliary
begin begin
nsc.login nsc.login
report_cred( connection_details = {
ip: rhost, module_fullname: self.fullname,
port: rport, username: user,
service_name: prot, private_data: pass,
user: user, private_type: :password,
password: pass status: Metasploit::Model::Login::Status::UNTRIED
) }.merge(service_details)
create_credential_and_login(connection_details)
rescue rescue
print_error("Error authenticating, check your credentials") print_error("Error authenticating, check your credentials")

View File

@ -55,30 +55,17 @@ class MetasploitModule < Msf::Auxiliary
if res && res.code == 200 && res.body.to_s =~ /Error while creating account/ if res && res.code == 200 && res.body.to_s =~ /Error while creating account/
# No way to know whether this worked or not, it always says error # No way to know whether this worked or not, it always says error
print_status("The new administrator #{datastore['USERNAME']}:#{datastore['PASSWORD']} should be checked manually") print_status("The new administrator #{datastore['USERNAME']}:#{datastore['PASSWORD']} should be checked manually")
service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: datastore['PASSWORD'],
username: datastore['USERNAME']
}
credential_data.merge!(service_data) connection_details = {
credential_core = create_credential(credential_data) module_fullname: self.fullname,
login_data = { username: datastore['USERNAME'],
core: credential_core, private_data: datastore['PASSWORD'],
private_type: :password,
access_level: 'Administrator', access_level: 'Administrator',
status: Metasploit::Model::Login::Status::UNTRIED status: Metasploit::Model::Login::Status::UNTRIED
} }.merge(service_details)
login_data.merge!(service_data) create_credential_and_login(connection_details)
create_credential_login(login_data)
else else
print_error("Administrator account creation failed") print_error("Administrator account creation failed")
end end

View File

@ -126,16 +126,8 @@ class MetasploitModule < Msf::Auxiliary
end end
end end
def report_credential_core(cred_opts={}) def report_credential_core(cred_opts={})
origin_service_data = { # use a basic core only since this credential is not known valid for service it was obtained from.
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = { credential_data = {
origin_type: :service, origin_type: :service,
module_fullname: self.fullname, module_fullname: self.fullname,
@ -143,8 +135,6 @@ class MetasploitModule < Msf::Auxiliary
private_data: cred_opts[:password], private_data: cred_opts[:password],
username: cred_opts[:username] username: cred_opts[:username]
} }
credential_data.merge!(origin_service_data)
create_credential(credential_data) create_credential(credential_data)
end end
end end

View File

@ -47,33 +47,6 @@ class MetasploitModule < Msf::Auxiliary
datastore["PASSWORD"] datastore["PASSWORD"]
end end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run def run
if user == pass if user == pass
@ -109,14 +82,15 @@ class MetasploitModule < Msf::Auxiliary
if res and res.code == 200 and res.body =~ /Administrator account created/ if res and res.code == 200 and res.body =~ /Administrator account created/
print_good("Admin account with credentials #{user}:#{pass} successfully created") print_good("Admin account with credentials #{user}:#{pass} successfully created")
report_cred( connection_details = {
ip: rhost, module_fullname: self.fullname,
port: rport, username: user,
service_name: 'http', private_data: pass,
user: user, private_type: :password,
password: pass, status: Metasploit::Model::Login::Status::UNTRIED,
proof: res.body proof: res.body
) }.merge(service_details)
create_credential_and_login(connection_details)
else else
print_error("Admin account creation failed") print_error("Admin account creation failed")
end end

View File

@ -102,7 +102,14 @@ Windows and Linux.
if password && username if password && username
plaintext_password = super_redacted_deobfuscation(password) plaintext_password = super_redacted_deobfuscation(password)
cred_table << [ username, plaintext_password ] cred_table << [ username, plaintext_password ]
register_creds(username, plaintext_password) connection_details = {
module_fullname: self.fullname,
username: username,
private_data: plaintext_password,
private_type: :password,
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
end end
} }
@ -242,34 +249,7 @@ Windows and Linux.
final final
end end
def register_creds(username, password) def service_details
credential_data = { super.merge({service_name: 'WebNMS-' + (ssl ? 'HTTPS' : 'HTTP')}) # this should possibly be removed
origin_type: :service,
module_fullname: self.fullname,
workspace_id: myworkspace_id,
private_data: password,
private_type: :password,
username: username
}
service_data = {
address: rhost,
port: rport,
service_name: 'WebNMS-' + (ssl ? 'HTTPS' : 'HTTP'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED,
workspace_id: myworkspace_id
}
login_data.merge!(service_data)
create_credential_login(login_data)
end end
end end

View File

@ -63,32 +63,6 @@ class MetasploitModule < Msf::Auxiliary
end end
end end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :nonreplayable_hash,
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run def run
vprint_status("#{peer} - Attempting to connect...") vprint_status("#{peer} - Attempting to connect...")
vprint_status("#{peer} - Trying to retrieve the first user id...") vprint_status("#{peer} - Trying to retrieve the first user id...")
@ -127,14 +101,15 @@ class MetasploitModule < Msf::Auxiliary
user_email = values[2] user_email = values[2]
print_good("#{peer} - #{sprintf("%-15s %-34s %s", user_login, user_pass, user_email)}") print_good("#{peer} - #{sprintf("%-15s %-34s %s", user_login, user_pass, user_email)}")
report_cred( connection_details = {
ip: rhost, module_fullname: self.fullname,
port: datastore['RPORT'], username: user_login,
service_name: datastore['SSL'] ? 'https' : 'http', private_data: user_pass,
user: user_login, private_type: :nonreplayable_hash,
password: user_pass, status: Metasploit::Model::Login::Status::UNTRIED,
proof: user_email proof: user_email
) }.merge(service_details)
create_credential(connection_details)
credentials << "#{user_login},#{user_pass},#{user_email}\n" credentials << "#{user_login},#{user_pass},#{user_email}\n"
end end

View File

@ -31,32 +31,6 @@ class MetasploitModule < Msf::Auxiliary
) )
end end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run def run
begin begin
print_status("Trying to get 'admin' user password ...") print_status("Trying to get 'admin' user password ...")
@ -87,14 +61,15 @@ class MetasploitModule < Msf::Auxiliary
admin_password = admin_password_matches[1]; admin_password = admin_password_matches[1];
print_good("Password for user 'admin' is: #{admin_password}") print_good("Password for user 'admin' is: #{admin_password}")
report_cred( connection_details = {
ip: rhost, module_fullname: self.fullname,
port: rport, username: 'admin',
service_name: 'ZyXEL GS1510-16', private_data: admin_password,
user: 'admin', private_type: :password,
password: admin_password, status: Metasploit::Model::Login::Status::UNTRIED,
proof: res.body proof: res.body
) }.merge(service_details)
create_credential_and_login(connection_details) # makes service_name more consistent
end end
rescue ::Rex::ConnectionError rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - Failed to connect") print_error("#{rhost}:#{rport} - Failed to connect")