Land rapid7#5376, Report ipmi_dumphashes credentials with create_credential_login

wchen-r7 · wchen-r7 · commit 2ae9e3971923 · 2015-05-27T13:11:07.000-05:00
diff --git a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
@@ -71,7 +71,6 @@ def run_host(ip)
     passwords << ""
     passwords = passwords.uniq
 
-
     self.udp_sock = Rex::Socket::Udp.create({'Context' => {'Msf' => framework, 'MsfExploit' => self}})
     add_socket(self.udp_sock)
 
@@ -180,18 +179,8 @@ def run_host(ip)
       write_output_files(rhost, username, sha1_salt, sha1_hash)
 
       # Write the rakp hash to the database
-      report_auth_info(
-        :host	=> rhost,
-        :port   => rport,
-        :proto  => 'udp',
-        :sname	=> 'ipmi',
-        :user 	=> username,
-        :pass   => "#{sha1_salt}:#{sha1_hash}",
-        :source_type => "captured",
-        :active => true,
-        :type   => 'rakp_hmac_sha1_hash'
-      )
-
+      hash = "#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}"
+      core_id = report_hash(username, hash)
       # Write the vulnerability to the database
       unless reported_vuln
         report_vuln(
@@ -216,17 +205,7 @@ def run_host(ip)
         print_good("#{rhost}:#{rport} - IPMI - Hash for user '#{username}' matches password '#{pass}'")
 
         # Report the clear-text credential to the database
-        report_auth_info(
-          :host	=> rhost,
-          :port   => rport,
-          :proto  => 'udp',
-          :sname	=> 'ipmi',
-          :user 	=> username,
-          :pass   => pass,
-          :source_type => "cracked",
-          :active => true,
-          :type   => 'password'
-        )
+        report_cracked_cred(username, pass, core_id)
         break
       end
     end
@@ -265,6 +244,45 @@ def write_output_files(rhost, username, sha1_salt, sha1_hash)
     end
   end
 
+  def service_data
+    {
+      address: rhost,
+      port: rport,
+      service_name: 'ipmi',
+      protocol: 'udp',
+      workspace_id: myworkspace_id
+    }
+  end
+
+  def report_hash(user, hash)
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: hash,
+      private_type: :nonreplayable_hash,
+      jtr_format: 'rakp',
+      username: user,
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }.merge(service_data)
+
+    cl = create_credential_login(login_data)
+    cl.core_id
+  end
+
+  def report_cracked_cred(user, password, core_id)
+    cred_data = {
+      core_id: core_id,
+      username: user,
+      password: password
+    }
+
+    create_cracked_credential(cred_data)
+  end
+
   #
   # Helper methods (these didn't quite fit with existing mixins)
   #
@@ -292,5 +310,4 @@ def rhost
   def rport
     datastore['RPORT']
   end
-
 end
