refactor auxiliary/admin/http credential storage

GSoC/Meterpreter_Web_Console
Jeffrey Martin 2017-05-22 23:59:02 -05:00
parent b7b1995238
commit eaca873112
No known key found for this signature in database
GPG Key ID: 0CD9BBC2AF15F171
16 changed files with 121 additions and 461 deletions

View File

@ -69,32 +69,6 @@ class MetasploitModule < Msf::Auxiliary
return nil
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
print_status("Trying to find the service desk service strong name...")
@ -256,14 +230,16 @@ class MetasploitModule < Msf::Auxiliary
login_url = ssl ? "https://" : "http://"
login_url << "#{rhost}:#{rport}/servicedesk/ServiceDesk.jsp"
report_cred(
ip: rhost,
port: rport,
service_name: (ssl ? "https" : "http"),
user: datastore['USERNAME'],
password: datastore['PASSWORD'],
proof: "#{login_url}\n#{res.body}"
)
connection_details = {
module_fullname: self.fullname,
username: datastore['USERNAME'],
private_data: datastore['PASSWORD'],
private_type: :password,
workspace_id: myworkspace_id,
proof: "#{login_url}\n#{res.body}",
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
print_good("Account #{datastore["USERNAME"]}/#{datastore["PASSWORD"]} created successfully.")
print_status("Use it to log into #{login_url}")

View File

@ -31,35 +31,6 @@ class MetasploitModule < Msf::Auxiliary
)
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")
@ -99,6 +70,19 @@ class MetasploitModule < Msf::Auxiliary
vprint_good("user: #{@user}")
vprint_good("pass: #{pass}")
connection_details = {
module_fullname: self.fullname,
username: @user,
private_data: pass,
private_type: :password,
workspace_id: myworkspace_id,
proof: line,
last_attempted_at: DateTime.now, # kept in refactor may not be valid, obtained but do not attempted here
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
report_cred(
ip: rhost,
port: rport,

View File

@ -29,33 +29,6 @@ class MetasploitModule < Msf::Auxiliary
)
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")
@ -93,14 +66,19 @@ class MetasploitModule < Msf::Auxiliary
pass = $1
pass = Rex::Text.decode_base64(pass)
print_good("#{rhost}:#{rport} - Credentials found: #{user} / #{pass}")
report_cred(
ip: rhost,
port: rport,
sname: 'http',
user: user,
password: pass,
proof: line
)
connection_details = {
module_fullname: self.fullname,
username: user,
private_data: pass,
private_type: :password,
workspace_id: myworkspace_id,
proof: line,
last_attempted_at: DateTime.now, # kept in refactor may not be valid, obtained but do not attempted here
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
end
end
end

View File

@ -76,30 +76,16 @@ class MetasploitModule < Msf::Auxiliary
end
print_good("Master Administrator account with credentials #{datastore['KASEYA_USER']}:#{datastore['KASEYA_PASS']} created")
service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: datastore['KASEYA_PASS'],
username: datastore['KASEYA_USER']
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Master Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
connection_details = {
module_fullname: self.fullname,
username: datastore['KASEYA_USER'],
private_data: datastore['KASEYA_PASS'],
private_type: :password,
workspace_id: myworkspace_id,
access_level: 'Master Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
end
end

View File

@ -67,29 +67,15 @@ class MetasploitModule < Msf::Auxiliary
end
print_good("Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: datastore['PASSWORD'],
username: datastore['USERNAME']
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
connection_details = {
module_fullname: self.fullname,
username: datastore['USERNAME'],
private_data: datastore['PASSWORD'],
private_type: :password,
workspace_id: myworkspace_id,
access_level: 'Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
end
end

View File

@ -240,41 +240,14 @@ class MetasploitModule < Msf::Auxiliary
end
print_status("Reporting Super Administrator credentials...")
report_super_admin_creds(username, password)
store_valid_credentail(user: username, private: password)
print_status("Leaking Password database...")
loot_passwords(cookie_su)
end
def report_super_admin_creds(username, password)
status = Metasploit::Model::Login::Status::SUCCESSFUL
service_data = {
address: rhost,
port: rport,
service_name: 'https',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: username,
username: password
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Super Administrator',
status: status,
last_attempted_at: DateTime.now
}
login_data.merge!(service_data)
create_credential_login(login_data)
def service_details
super.merge({access_level: 'Super Administrator'})
end
def loot_passwords(cookie_admin)

View File

@ -149,45 +149,13 @@ class MetasploitModule < Msf::Auxiliary
print_good("File saved in: #{path}")
end
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: 'netgear',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
cookie = authenticate
if cookie == nil
fail_with(Failure::Unknown, "#{peer} - Failed to log in with the provided credentials.")
else
print_good("#{peer} - Logged in with #{datastore['USERNAME']}:#{datastore['PASSWORD']} successfully.")
report_cred(
user: datastore['USERNAME'],
password: datastore['PASSWORD'],
proof: cookie
)
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'], proof: cookie) # more consistent service_name and protocol
end
if datastore['FILEPATH'].blank?

View File

@ -131,33 +131,14 @@ class MetasploitModule < Msf::Auxiliary
pass = $1
print_good("admin / #{pass} credentials found")
service_data = {
address: rhost,
port: rport,
service_name: 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
connection_details = {
module_fullname: self.fullname,
origin_type: :service,
private_data: pass,
private_type: :password,
username: 'admin'
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
username: 'admin',
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
}.merge(service_details)
create_credential_and_login(connection_details)
end
end

View File

@ -149,33 +149,6 @@ class MetasploitModule < Msf::Auxiliary
return [username, password]
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: 'netgear',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def send_req(timestamp)
begin
query_str = (timestamp == nil ? \
@ -242,7 +215,7 @@ class MetasploitModule < Msf::Auxiliary
if res && res.code == 200
credentials = get_creds
print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"")
report_cred({ 'user' => credentials[0], 'password' => credentials[1] })
store_valid_credential(user: credentials[0], private: credentials[1]) # more consistent service_name and protocol, now supplies ip and port
return
end
end

View File

@ -44,37 +44,10 @@ class MetasploitModule < Msf::Auxiliary
])
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_data)
create_credential_login(login_data)
end
def run
user = datastore['USERNAME']
pass = datastore['PASSWORD']
trust_store = datastore['TRUST_STORE']
prot = ssl ? 'https' : 'http'
nsc = Nexpose::Connection.new(rhost, user, pass, rport, nil, nil, trust_store)
@ -82,13 +55,14 @@ class MetasploitModule < Msf::Auxiliary
begin
nsc.login
report_cred(
ip: rhost,
port: rport,
service_name: prot,
user: user,
password: pass
)
connection_details = {
module_fullname: self.fullname,
username: user,
private_data: pass,
private_type: :password,
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
rescue
print_error("Error authenticating, check your credentials")

View File

@ -55,30 +55,17 @@ class MetasploitModule < Msf::Auxiliary
if res && res.code == 200 && res.body.to_s =~ /Error while creating account/
# No way to know whether this worked or not, it always says error
print_status("The new administrator #{datastore['USERNAME']}:#{datastore['PASSWORD']} should be checked manually")
service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: datastore['PASSWORD'],
username: datastore['USERNAME']
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
connection_details = {
module_fullname: self.fullname,
username: datastore['USERNAME'],
private_data: datastore['PASSWORD'],
private_type: :password,
access_level: 'Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
else
print_error("Administrator account creation failed")
end

View File

@ -126,16 +126,8 @@ class MetasploitModule < Msf::Auxiliary
end
end
def report_credential_core(cred_opts={})
origin_service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
# use a basic core only since this credential is not known valid for service it was obtained from.
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
@ -143,8 +135,6 @@ class MetasploitModule < Msf::Auxiliary
private_data: cred_opts[:password],
username: cred_opts[:username]
}
credential_data.merge!(origin_service_data)
create_credential(credential_data)
end
end

View File

@ -47,33 +47,6 @@ class MetasploitModule < Msf::Auxiliary
datastore["PASSWORD"]
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
if user == pass
@ -109,14 +82,15 @@ class MetasploitModule < Msf::Auxiliary
if res and res.code == 200 and res.body =~ /Administrator account created/
print_good("Admin account with credentials #{user}:#{pass} successfully created")
report_cred(
ip: rhost,
port: rport,
service_name: 'http',
user: user,
password: pass,
proof: res.body
)
connection_details = {
module_fullname: self.fullname,
username: user,
private_data: pass,
private_type: :password,
status: Metasploit::Model::Login::Status::UNTRIED,
proof: res.body
}.merge(service_details)
create_credential_and_login(connection_details)
else
print_error("Admin account creation failed")
end

View File

@ -102,7 +102,14 @@ Windows and Linux.
if password && username
plaintext_password = super_redacted_deobfuscation(password)
cred_table << [ username, plaintext_password ]
register_creds(username, plaintext_password)
connection_details = {
module_fullname: self.fullname,
username: username,
private_data: plaintext_password,
private_type: :password,
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
end
}
@ -242,34 +249,7 @@ Windows and Linux.
final
end
def register_creds(username, password)
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
workspace_id: myworkspace_id,
private_data: password,
private_type: :password,
username: username
}
service_data = {
address: rhost,
port: rport,
service_name: 'WebNMS-' + (ssl ? 'HTTPS' : 'HTTP'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED,
workspace_id: myworkspace_id
}
login_data.merge!(service_data)
create_credential_login(login_data)
def service_details
super.merge({service_name: 'WebNMS-' + (ssl ? 'HTTPS' : 'HTTP')}) # this should possibly be removed
end
end

View File

@ -63,32 +63,6 @@ class MetasploitModule < Msf::Auxiliary
end
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :nonreplayable_hash,
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
vprint_status("#{peer} - Attempting to connect...")
vprint_status("#{peer} - Trying to retrieve the first user id...")
@ -127,14 +101,15 @@ class MetasploitModule < Msf::Auxiliary
user_email = values[2]
print_good("#{peer} - #{sprintf("%-15s %-34s %s", user_login, user_pass, user_email)}")
report_cred(
ip: rhost,
port: datastore['RPORT'],
service_name: datastore['SSL'] ? 'https' : 'http',
user: user_login,
password: user_pass,
proof: user_email
)
connection_details = {
module_fullname: self.fullname,
username: user_login,
private_data: user_pass,
private_type: :nonreplayable_hash,
status: Metasploit::Model::Login::Status::UNTRIED,
proof: user_email
}.merge(service_details)
create_credential(connection_details)
credentials << "#{user_login},#{user_pass},#{user_email}\n"
end

View File

@ -31,32 +31,6 @@ class MetasploitModule < Msf::Auxiliary
)
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run
begin
print_status("Trying to get 'admin' user password ...")
@ -87,14 +61,15 @@ class MetasploitModule < Msf::Auxiliary
admin_password = admin_password_matches[1];
print_good("Password for user 'admin' is: #{admin_password}")
report_cred(
ip: rhost,
port: rport,
service_name: 'ZyXEL GS1510-16',
user: 'admin',
password: admin_password,
proof: res.body
)
connection_details = {
module_fullname: self.fullname,
username: 'admin',
private_data: admin_password,
private_type: :password,
status: Metasploit::Model::Login::Status::UNTRIED,
proof: res.body
}.merge(service_details)
create_credential_and_login(connection_details) # makes service_name more consistent
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - Failed to connect")