Skip to content

Commit 3ec6d9b

Browse files
void-invoid-in
committed
Update owa_login to use new cred API
1 parent 4ee0a14 commit 3ec6d9b

File tree

1 file changed

+65
-21
lines changed

1 file changed

+65
-21
lines changed

modules/auxiliary/scanner/http/owa_login.rb

Lines changed: 65 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,6 @@ def initialize
7676
}
7777
)
7878

79-
8079
register_options(
8180
[
8281
OptInt.new('RPORT', [ true, "The target port", 443]),
@@ -128,21 +127,29 @@ def run
128127
each_user_pass do |user, pass|
129128
next if (user.blank? or pass.blank?)
130129
vprint_status("#{msg} Trying #{user} : #{pass}")
131-
try_user_pass({"user" => user, "domain"=>domain, "pass"=>pass, "auth_path"=>auth_path, "inbox_path"=>inbox_path, "login_check"=>login_check, "vhost"=>vhost})
130+
try_user_pass({
131+
user: user,
132+
domain: domain,
133+
pass: pass,
134+
auth_path: auth_path,
135+
inbox_path: inbox_path,
136+
login_check: login_check,
137+
vhost: vhost
138+
})
132139
end
133140
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED
134141
print_error("#{msg} HTTP Connection Error, Aborting")
135142
end
136143
end
137144

138145
def try_user_pass(opts)
139-
user = opts["user"]
140-
pass = opts["pass"]
141-
auth_path = opts["auth_path"]
142-
inbox_path = opts["inbox_path"]
143-
login_check = opts["login_check"]
144-
vhost = opts["vhost"]
145-
domain = opts["domain"]
146+
user = opts[:user]
147+
pass = opts[:pass]
148+
auth_path = opts[:auth_path]
149+
inbox_path = opts[:inbox_path]
150+
login_check = opts[:login_check]
151+
vhost = opts[:vhost]
152+
domain = opts[:domain]
146153

147154
user = domain + '\\' + user if domain
148155

@@ -208,7 +215,13 @@ def try_user_pass(opts)
208215
:active => true,
209216
:type => 'password'}
210217

211-
report_auth_info(report_hash)
218+
report_cred(
219+
ip: datastore['RHOST'],
220+
port: datastore['RPORT'],
221+
service_name: 'owa',
222+
user: user,
223+
password: pass
224+
)
212225
return :next_user
213226
end
214227

@@ -273,7 +286,13 @@ def try_user_pass(opts)
273286
:active => true,
274287
:type => 'password'}
275288

276-
report_auth_info(report_hash)
289+
report_cred(
290+
ip: datastore['RHOST'],
291+
port: datastore['RPORT'],
292+
service_name: 'owa',
293+
user: user,
294+
password: pass
295+
)
277296
return :next_user
278297
else
279298
vprint_error("#{msg} FAILED LOGIN. #{elapsed_time} '#{user}' : '#{pass}' (response body did not match)")
@@ -282,14 +301,14 @@ def try_user_pass(opts)
282301
end
283302

284303
def get_ad_domain
285-
urls = ["aspnet_client",
286-
"Autodiscover",
287-
"ecp",
288-
"EWS",
289-
"Microsoft-Server-ActiveSync",
290-
"OAB",
291-
"PowerShell",
292-
"Rpc"]
304+
urls = ['aspnet_client',
305+
'Autodiscover',
306+
'ecp',
307+
'EWS',
308+
'Microsoft-Server-ActiveSync',
309+
'OAB',
310+
'PowerShell',
311+
'Rpc']
293312

294313
domain = nil
295314

@@ -299,7 +318,7 @@ def get_ad_domain
299318
'encode' => true,
300319
'uri' => "/#{url}",
301320
'method' => 'GET',
302-
'headers' => {"Authorization" => "NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="}
321+
'headers' => {'Authorization' => 'NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='}
303322
})
304323
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
305324
vprint_error("#{msg} HTTP Connection Failed")
@@ -314,14 +333,39 @@ def get_ad_domain
314333
if res && res.code == 401 && res.headers.has_key?('WWW-Authenticate') && res.headers['WWW-Authenticate'].match(/^NTLM/i)
315334
hash = res['WWW-Authenticate'].split('NTLM ')[1]
316335
domain = Rex::Proto::NTLM::Message.parse(Rex::Text.decode_base64(hash))[:target_name].value().gsub(/\0/,'')
317-
print_good("Found target domain: " + domain)
336+
print_good("Found target domain: #{domain}")
318337
return domain
319338
end
320339
end
321340

322341
return domain
323342
end
324343

344+
def report_cred(opts)
345+
service_data = {
346+
address: opts[:ip],
347+
port: opts[:port],
348+
service_name: opts[:service_name],
349+
protocol: 'tcp',
350+
workspace_id: myworkspace_id
351+
}
352+
353+
credential_data = {
354+
origin_type: :service,
355+
module_fullname: fullname,
356+
username: opts[:user],
357+
private_data: opts[:password],
358+
private_type: :password
359+
}.merge(service_data)
360+
361+
login_data = {
362+
core: create_credential(credential_data),
363+
status: Metasploit::Model::Login::Status::UNTRIED,
364+
}.merge(service_data)
365+
366+
create_credential_login(login_data)
367+
end
368+
325369
def msg
326370
"#{vhost}:#{rport} OWA -"
327371
end

0 commit comments

Comments
 (0)