Merge branch 'feature/MSP-10660/realm_adjustments' into staging/electro-release

Author: egypt

Gemfile

@@ -7,7 +7,7 @@ group :db do
   # Needed for Msf::DbManager
   gem 'activerecord', '>= 3.0.0', '< 4.0.0'
   # Metasploit::Credential database models
-  gem 'metasploit-credential', git: 'github-metasploit-credential:rapid7/metasploit-credential.git', tag: 'v0.5.6.pre.electro.pre.release'
+  gem 'metasploit-credential', git: 'github-metasploit-credential:rapid7/metasploit-credential.git', tag: 'v0.6.0-electro-release'
   # Database models shared between framework and Pro.
   gem 'metasploit_data_models', '>= 0.18.0', '< 0.19'
   # Needed for module caching in Mdm::ModuleDetails
@@ -35,10 +35,10 @@ group :development, :test do
   # running documentation generation tasks and rspec tasks
   gem 'rake', '>= 10.0.0'
   # testing framework
-  gem 'rspec', '>= 2.12'
+  gem 'rspec', '>= 2.12', '< 3.0.0'
   # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
   # environment is development
-  gem 'rspec-rails'
+  gem 'rspec-rails' , '>= 2.12', '< 3.0.0'
 end
 
 group :pcap do

Gemfile.lock

@@ -1,11 +1,11 @@
 GIT
   remote: github-metasploit-credential:rapid7/metasploit-credential.git
-  revision: 8a8b4f74535d728b1852e4d4d55abb9d828b8a8a
-  tag: v0.5.6.pre.electro.pre.release
+  revision: 1a472b5f7f6df6fa6a01233e0831ec4383c8f5a2
+  tag: v0.6.0-electro-release
   specs:
-    metasploit-credential (0.5.6.pre.electro.pre.release)
+    metasploit-credential (0.6.0)
       metasploit-concern (~> 0.1.0)
-      metasploit-model (>= 0.25.1, < 0.26)
+      metasploit-model (>= 0.25.3, < 0.26)
       metasploit_data_models (>= 0.18.0, < 0.19)
       rubyntlm
       rubyzip (~> 1.1)
@@ -30,25 +30,25 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (3.2.17)
-      activemodel (= 3.2.17)
-      activesupport (= 3.2.17)
+    actionpack (3.2.19)
+      activemodel (= 3.2.19)
+      activesupport (= 3.2.19)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
       rack (~> 1.4.5)
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.2.1)
-    activemodel (3.2.17)
-      activesupport (= 3.2.17)
+    activemodel (3.2.19)
+      activesupport (= 3.2.19)
       builder (~> 3.0.0)
-    activerecord (3.2.17)
-      activemodel (= 3.2.17)
-      activesupport (= 3.2.17)
+    activerecord (3.2.19)
+      activemodel (= 3.2.19)
+      activesupport (= 3.2.19)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activesupport (3.2.17)
+    activesupport (3.2.19)
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.3)
@@ -69,7 +69,7 @@ GEM
     json (1.8.1)
     metasploit-concern (0.1.1)
       activesupport (~> 3.0, >= 3.0.0)
-    metasploit-model (0.25.2)
+    metasploit-model (0.25.3)
       activesupport
     metasploit_data_models (0.18.0)
       activerecord (>= 3.2.13, < 4.0.0)
@@ -87,9 +87,9 @@ GEM
     packetfu (1.1.9)
     pcaprub (0.11.3)
     pg (0.17.1)
-    pry (0.9.12.6)
-      coderay (~> 1.0)
-      method_source (~> 0.8)
+    pry (0.10.0)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
       slop (~> 3.4)
     rack (1.4.5)
     rack-cache (1.2)
@@ -98,38 +98,41 @@ GEM
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
-    railties (3.2.17)
-      actionpack (= 3.2.17)
-      activesupport (= 3.2.17)
+    railties (3.2.19)
+      actionpack (= 3.2.19)
+      activesupport (= 3.2.19)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
       thor (>= 0.14.6, < 2.0)
-    rake (10.3.1)
+    rake (10.3.2)
     rdoc (3.12.2)
       json (~> 1.4)
-    redcarpet (3.1.1)
+    redcarpet (3.1.2)
     rkelly-remix (0.0.6)
     robots (0.10.1)
-    rspec (2.14.1)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
-    rspec-core (2.14.8)
-    rspec-expectations (2.14.5)
+    rspec (2.99.0)
+      rspec-core (~> 2.99.0)
+      rspec-expectations (~> 2.99.0)
+      rspec-mocks (~> 2.99.0)
+    rspec-collection_matchers (1.0.0)
+      rspec-expectations (>= 2.99.0.beta1)
+    rspec-core (2.99.1)
+    rspec-expectations (2.99.1)
       diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.14.6)
-    rspec-rails (2.14.2)
+    rspec-mocks (2.99.1)
+    rspec-rails (2.99.0)
       actionpack (>= 3.0)
       activemodel (>= 3.0)
       activesupport (>= 3.0)
       railties (>= 3.0)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
+      rspec-collection_matchers
+      rspec-core (~> 2.99.0)
+      rspec-expectations (~> 2.99.0)
+      rspec-mocks (~> 2.99.0)
     rubyntlm (0.4.0)
-    rubyzip (1.1.4)
-    shoulda-matchers (2.6.0)
+    rubyzip (1.1.6)
+    shoulda-matchers (2.6.1)
       activesupport (>= 3.0.0)
     simplecov (0.5.4)
       multi_json (~> 1.0.3)
@@ -165,8 +168,8 @@ DEPENDENCIES
   pry
   rake (>= 10.0.0)
   redcarpet
-  rspec (>= 2.12)
-  rspec-rails
+  rspec (>= 2.12, < 3.0.0)
+  rspec-rails (>= 2.12, < 3.0.0)
   shoulda-matchers
   simplecov (= 0.5.4)
   timecop

lib/metasploit/framework/login_scanner/afp.rb

@@ -19,6 +19,7 @@ class AFP
         LIKELY_PORTS         = [ DEFAULT_PORT ]
         LIKELY_SERVICE_NAMES = [ "afp" ]
         PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = nil
 
         # @!attribute login_timeout
         #   @return [Integer] Number of seconds to wait before giving up
@@ -38,9 +39,10 @@ def attempt_login(credential)
         end
 
         def set_sane_defaults
-          self.port          = DEFAULT_PORT if self.port.nil?
-          self.max_send_size = 0 if self.max_send_size.nil?
-          self.send_delay    = 0 if self.send_delay.nil?
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
         end
       end
     end

lib/metasploit/framework/login_scanner/axis2.rb

@@ -9,7 +9,7 @@ module LoginScanner
       class Axis2 < HTTP
 
         DEFAULT_PORT = 8080
-        # Inherit LIKELY_PORTS and LIKELY_SERVICE_NAMES from HTTP
+        # Inherit LIKELY_PORTS,LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
 
         CAN_GET_SESSION = true
         PRIVATE_TYPES   = [ :password ]
@@ -20,6 +20,9 @@ def attempt_login(credential)
             host, port, {}, ssl, ssl_version
           )
 
+          result_opts = {
+              credential: credential
+          }
           begin
             http_client.connect
             body = "userName=#{Rex::Text.uri_encode(credential.public)}&password=#{Rex::Text.uri_encode(credential.private)}&submit=+Login+"
@@ -29,13 +32,18 @@ def attempt_login(credential)
               'data' => body,
             )
             response = http_client.send_recv(request)
-          end
 
-          if response && response.code == 200 && response.body.include?("upload")
-            Result.new(status: :success, credential: credential, proof: response)
-          else
-            Result.new(status: :failed, credential: credential, proof: response)
+            if response && response.code == 200 && response.body.include?("upload")
+              result_opts.merge!(status: :success, proof: response)
+            else
+              result_opts.merge!(status: :failed, proof: response)
+            end
+          rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error
+            result_opts.merge!(status: :connection_error)
           end
+
+          Result.new(result_opts)
+
         end
 
         # (see Base#set_sane_defaults)

lib/metasploit/framework/login_scanner/base.rb

@@ -77,6 +77,38 @@ def attempt_login(credential)
             raise NotImplementedError
           end
 
+
+          def each_credential
+            cred_details.each do |raw_cred|
+              # This could be a Credential object, or a Credential Core, or an Attempt object
+              # so make sure that whatever it is, we end up with a Credential.
+              credential = raw_cred.to_credential
+
+              if credential.realm.present? && self.class::REALM_KEY.present?
+                credential.realm_key = self.class::REALM_KEY
+                yield credential
+              elsif credential.realm.blank? && self.class::REALM_KEY.present? && self.class::DEFAULT_REALM.present?
+                credential.realm_key = self.class::REALM_KEY
+                credential.realm     = self.class::DEFAULT_REALM
+                yield credential
+              elsif credential.realm.present? && self.class::REALM_KEY.blank?
+                second_cred = credential.dup
+                # Strip the realm off here, as we don't want it
+                credential.realm = nil
+                credential.realm_key = nil
+                yield credential
+                # Some services can take a domain in the username like this even though
+                # they do not explicitly take a domain as part of the protocol.
+                second_cred.public = "#{second_cred.realm}\\#{second_cred.public}"
+                second_cred.realm = nil
+                second_cred.realm_key = nil
+                yield second_cred
+              else
+                yield credential
+              end
+            end
+          end
+
           # Attempt to login with every {Credential credential} in
           # {#cred_details}, by calling {#attempt_login} once for each.
           #
@@ -91,8 +123,7 @@ def scan!
             consecutive_error_count = 0
             total_error_count = 0
 
-            cred_details.each do |raw_credential|
-              credential = raw_credential.to_credential
+            each_credential do |credential|
               result = attempt_login(credential)
               result.freeze
 

lib/metasploit/framework/login_scanner/db2.rb

@@ -14,10 +14,12 @@ class DB2
         include Metasploit::Framework::Tcp::Client
 
         DEFAULT_PORT         = 50000
+        DEFAULT_REALM        = 'toolsdb'
         LIKELY_PORTS         = [ DEFAULT_PORT ]
         # @todo XXX
         LIKELY_SERVICE_NAMES = [ ]
         PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = Metasploit::Model::Realm::Key::DB2_DATABASE
 
         # @see Base#attempt_login
         def attempt_login(credential)
@@ -94,10 +96,12 @@ def send_probe(database_name)
         # This method sets the sane defaults for things
         # like timeouts and TCP evasion options
         def set_sane_defaults
-          self.port ||= DEFAULT_PORT
-          self.max_send_size ||= 0
-          self.send_delay    ||= 0
-          self.ssl           ||= false
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
+
+          self.ssl = false  if self.ssl.nil?
         end
 
         # This method takes a response packet and checks to see

lib/metasploit/framework/login_scanner/ftp.rb

@@ -18,6 +18,7 @@ class FTP
         LIKELY_PORTS         = [ DEFAULT_PORT, 2121 ]
         LIKELY_SERVICE_NAMES = [ 'ftp' ]
         PRIVATE_TYPES        = [ :password ]
+        REALM_KEY           = nil
 
         # @!attribute ftp_timeout
         #   @return [Fixnum] The timeout in seconds to wait for a response to an FTP command
@@ -61,10 +62,11 @@ def attempt_login(credential)
         # This method sets the sane defaults for things
         # like timeouts and TCP evasion options
         def set_sane_defaults
-          self.port = DEFAULT_PORT if self.port.nil?
-          self.max_send_size = 0 if self.max_send_size.nil?
-          self.send_delay = 0 if self.send_delay.nil?
-          self.ftp_timeout = 16 if self.ftp_timeout.nil?
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
+          self.ftp_timeout        ||= 16
         end
 
       end

lib/metasploit/framework/login_scanner/http.rb

@@ -12,11 +12,13 @@ class HTTP
         include Metasploit::Framework::LoginScanner::Base
         include Metasploit::Framework::LoginScanner::RexSocket
 
+        DEFAULT_REALM        = nil
         DEFAULT_PORT         = 80
         DEFAULT_SSL_PORT     = 443
         LIKELY_PORTS         = [ 80, 443, 8000, 8080 ]
         LIKELY_SERVICE_NAMES = [ 'http', 'https' ]
         PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
 
         # @!attribute uri
         #   @return [String] The path and query string on the server to
@@ -91,6 +93,7 @@ def attempt_login(credential)
         # This method sets the sane defaults for things
         # like timeouts and TCP evasion options
         def set_sane_defaults
+          self.connection_timeout ||= 20
           self.max_send_size = 0 if self.max_send_size.nil?
           self.send_delay = 0 if self.send_delay.nil?
 

lib/metasploit/framework/login_scanner/mssql.rb

@@ -17,11 +17,13 @@ class MSSQL
         include Metasploit::Framework::MSSQL::Client
 
         DEFAULT_PORT         = 1433
+        DEFAULT_REALM         = 'WORKSTATION'
         # Lifted from lib/msf/core/exploit/mssql.rb
         LIKELY_PORTS         = [ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ]
         # Lifted from lib/msf/core/exploit/mssql.rb
         LIKELY_SERVICE_NAMES = [ 'ms-sql-s', 'ms-sql2000', 'sybase' ]
         PRIVATE_TYPES        = [ :password, :ntlm_hash ]
+        REALM_KEY           = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
 
         # @!attribute windows_authentication
         #   @return [Boolean] Whether to use Windows Authentication instead of SQL Server Auth.
@@ -51,9 +53,12 @@ def attempt_login(credential)
         private
 
         def set_sane_defaults
-          self.port                   = DEFAULT_PORT if self.port.nil?
-          self.max_send_size          = 0 if self.max_send_size.nil?
-          self.send_delay             = 0 if self.send_delay.nil?
+          self.connection_timeout    ||= 30
+          self.port                  ||= DEFAULT_PORT
+          self.max_send_size         ||= 0
+          self.send_delay            ||= 0
+
+          # Don't use ||= with booleans
           self.send_lm                = true if self.send_lm.nil?
           self.send_ntlm              = true if self.send_ntlm.nil?
           self.send_spn               = true if self.send_spn.nil?