Merge pull request rapid7#4364 from todb-r7/bug/bruteforce-speed-3904

dmaloney-r7 · dmaloney-r7 · commit 47c38ed04ee2 · 2014-12-11T13:19:42.000-06:00
Modules should respect bruteforce_speed again
diff --git a/lib/metasploit/framework/login_scanner/base.rb b/lib/metasploit/framework/login_scanner/base.rb
@@ -30,6 +30,9 @@ module Base
           # @!attribute stop_on_success
           #   @return [Boolean] Whether the scanner should stop when it has found one working Credential
           attr_accessor :stop_on_success
+          # @!attribute bruteforce_speed
+          #   @return [Fixnum] The desired speed, with 5 being 'fast' and 0 being 'slow.'
+          attr_accessor :bruteforce_speed
 
           validates :connection_timeout,
                     presence: true,
@@ -53,6 +56,14 @@ module Base
           validates :stop_on_success,
                     inclusion: { in: [true, false] }
 
+          validates :bruteforce_speed,
+                    presence: false,
+                    numericality: {
+                      only_integer:             true,
+                      greater_than_or_equal_to: 0,
+                      less_than_or_equal_to:    5
+                    }
+
           validate :host_address_must_be_valid
 
           validate :validate_cred_details
@@ -86,6 +97,34 @@ def check_setup
             false
           end
 
+          # @note Override this to set a timeout that makes more sense for
+          # your particular protocol. Telnet already usually takes a really
+          # long time, while MSSQL is often lickety-split quick. If
+          # overridden, the override should probably do something sensible
+          # with {#bruteforce_speed}
+          #
+          # @return [Fixnum] a number of seconds to sleep between attempts
+          def sleep_time
+            case bruteforce_speed
+              when 0; 60 * 5
+              when 1; 15
+              when 2; 1
+              when 3; 0.5
+              when 4; 0.1
+              else; 0
+            end
+          end
+
+          # A threadsafe sleep method
+          #
+          # @param time [Fixnum] number of seconds (can be a Float), defaults
+          # to {#sleep_time}
+          #
+          # @return [void]
+          def sleep_between_attempts(time=self.sleep_time)
+            ::IO.select(nil,nil,nil,time) unless sleep_time.zero?
+          end
+
           def each_credential
             cred_details.each do |raw_cred|
 
@@ -148,6 +187,7 @@ def scan!
             total_error_count = 0
 
             successful_users = Set.new
+            first_attempt = true
 
             each_credential do |credential|
               # Skip users for whom we've have already found a password
@@ -161,6 +201,12 @@ def scan!
                 next
               end
 
+              if first_attempt
+                first_attempt = false
+              else
+                sleep_between_attempts
+              end
+
               result = attempt_login(credential)
               result.freeze
 
diff --git a/lib/metasploit/framework/login_scanner/db2.rb b/lib/metasploit/framework/login_scanner/db2.rb
@@ -106,7 +106,7 @@ def set_sane_defaults
           self.max_send_size      ||= 0
           self.send_delay         ||= 0
 
-          self.ssl = false  if self.ssl.nil?
+          self.ssl = false if self.ssl.nil?
         end
 
         # This method takes a response packet and checks to see
diff --git a/modules/auxiliary/scanner/afp/afp_login.rb b/modules/auxiliary/scanner/afp/afp_login.rb
@@ -63,6 +63,7 @@ def run_host(ip)
         proxies: datastore['PROXIES'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: 30,
         max_send_size: datastore['TCP::max_send_size'],
         send_delay: datastore['TCP::send_delay'],
diff --git a/modules/auxiliary/scanner/db2/db2_auth.rb b/modules/auxiliary/scanner/db2/db2_auth.rb
@@ -61,6 +61,7 @@ def run_host(ip)
         proxies: datastore['PROXIES'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: 30,
         max_send_size: datastore['TCP::max_send_size'],
         send_delay: datastore['TCP::send_delay'],
diff --git a/modules/auxiliary/scanner/ftp/ftp_login.rb b/modules/auxiliary/scanner/ftp/ftp_login.rb
@@ -75,6 +75,7 @@ def run_host(ip)
         proxies: datastore['PROXIES'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         max_send_size: datastore['TCP::max_send_size'],
         send_delay: datastore['TCP::send_delay'],
         connection_timeout: 30
diff --git a/modules/auxiliary/scanner/http/appletv_login.rb b/modules/auxiliary/scanner/http/appletv_login.rb
@@ -5,6 +5,7 @@
 
 require 'msf/core'
 require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/http'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -80,6 +81,7 @@ def run_host(ip)
         proxies: datastore["PROXIES"],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: 5,
     )
 
diff --git a/modules/auxiliary/scanner/http/axis_login.rb b/modules/auxiliary/scanner/http/axis_login.rb
@@ -85,6 +85,7 @@ def run_host(ip)
       proxies: proxies,
       cred_details: cred_collection,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 5,
       user_agent: datastore['UserAgent'],
       vhost: datastore['VHOST']
diff --git a/modules/auxiliary/scanner/http/buffalo_login.rb b/modules/auxiliary/scanner/http/buffalo_login.rb
@@ -49,6 +49,7 @@ def run_host(ip)
       proxies: datastore['PROXIES'],
       cred_details: cred_collection,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 10,
       user_agent: datastore['UserAgent'],
       vhost: datastore['VHOST']
diff --git a/modules/auxiliary/scanner/http/glassfish_login.rb b/modules/auxiliary/scanner/http/glassfish_login.rb
@@ -100,6 +100,7 @@ def init_loginscanner(ip)
       proxies:            datastore["PROXIES"],
       cred_details:       @cred_collection,
       stop_on_success:    datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 5
     )
 
diff --git a/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb b/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb
@@ -82,6 +82,7 @@ def init_loginscanner(ip)
       proxies:            datastore["PROXIES"],
       cred_details:       @cred_collection,
       stop_on_success:    datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 5
     )
 
diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb
@@ -160,6 +160,7 @@ def run_host(ip)
       proxies: datastore["PROXIES"],
       cred_details: cred_collection,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 5,
       user_agent: datastore['UserAgent'],
       vhost: datastore['VHOST']
diff --git a/modules/auxiliary/scanner/http/ipboard_login.rb b/modules/auxiliary/scanner/http/ipboard_login.rb
@@ -44,6 +44,7 @@ def run_host(ip)
         proxies: datastore["PROXIES"],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: 5,
         user_agent: datastore['UserAgent'],
         vhost: datastore['VHOST']
diff --git a/modules/auxiliary/scanner/http/jenkins_login.rb b/modules/auxiliary/scanner/http/jenkins_login.rb
@@ -48,6 +48,7 @@ def run_host(ip)
       proxies: datastore['PROXIES'],
       cred_details: cred_collection,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 10,
       user_agent: datastore['UserAgent'],
       vhost: datastore['VHOST']
diff --git a/modules/auxiliary/scanner/http/mybook_live_login.rb b/modules/auxiliary/scanner/http/mybook_live_login.rb
@@ -60,6 +60,7 @@ def run_host(ip)
       proxies: datastore['PROXIES'],
       cred_details: cred_collection,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 10,
       user_agent: datastore['UserAgent'],
       vhost: datastore['VHOST']
diff --git a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb
@@ -111,6 +111,7 @@ def run_host(ip)
         proxies: datastore['PROXIES'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: 10,
         user_agent: datastore['UserAgent'],
         vhost: datastore['VHOST']
diff --git a/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb b/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb
@@ -91,6 +91,7 @@ def run_host(ip)
         proxies: datastore["PROXIES"],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: 5,
     )
 
diff --git a/modules/auxiliary/scanner/mssql/mssql_login.rb b/modules/auxiliary/scanner/mssql/mssql_login.rb
@@ -51,6 +51,7 @@ def run_host(ip)
         proxies: datastore['PROXIES'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: 30,
         max_send_size: datastore['TCP::max_send_size'],
         send_delay: datastore['TCP::send_delay'],
diff --git a/modules/auxiliary/scanner/mysql/mysql_login.rb b/modules/auxiliary/scanner/mysql/mysql_login.rb
@@ -60,6 +60,7 @@ def run_host(ip)
             proxies: datastore['PROXIES'],
             cred_details: cred_collection,
             stop_on_success: datastore['STOP_ON_SUCCESS'],
+            bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
             connection_timeout: 30,
             max_send_size: datastore['TCP::max_send_size'],
             send_delay: datastore['TCP::send_delay'],
diff --git a/modules/auxiliary/scanner/pop3/pop3_login.rb b/modules/auxiliary/scanner/pop3/pop3_login.rb
@@ -71,6 +71,7 @@ def run_host(ip)
       ssl: datastore['SSL'],
       cred_details: cred_collection,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       max_send_size: datastore['TCP::max_send_size'],
       send_delay: datastore['TCP::send_delay'],
     )
diff --git a/modules/auxiliary/scanner/postgres/postgres_login.rb b/modules/auxiliary/scanner/postgres/postgres_login.rb
@@ -69,6 +69,7 @@ def run_host(ip)
       proxies: datastore['PROXIES'],
       cred_details: cred_collection,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 30
     )
 
diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb
@@ -73,6 +73,7 @@ def run_host(ip)
       host: ip,
       port: rport,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 5,
       max_send_size: datastore['TCP::max_send_size'],
       send_delay: datastore['TCP::send_delay'],
diff --git a/modules/auxiliary/scanner/snmp/snmp_login.rb b/modules/auxiliary/scanner/snmp/snmp_login.rb
@@ -60,6 +60,7 @@ def run_batch(batch)
           port: rport,
           cred_details: collection,
           stop_on_success: datastore['STOP_ON_SUCCESS'],
+          bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
           connection_timeout: 2
       )
 
diff --git a/modules/auxiliary/scanner/ssh/ssh_login.rb b/modules/auxiliary/scanner/ssh/ssh_login.rb
@@ -115,6 +115,7 @@ def run_host(ip)
       cred_details: cred_collection,
       proxies: datastore['Proxies'],
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: datastore['SSH_TIMEOUT'],
     )
 
diff --git a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
@@ -207,6 +207,7 @@ def run_host(ip)
       port: rport,
       cred_details: keys,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       proxies: datastore['Proxies'],
       connection_timeout: datastore['SSH_TIMEOUT'],
     )
diff --git a/modules/auxiliary/scanner/telnet/telnet_login.rb b/modules/auxiliary/scanner/telnet/telnet_login.rb
@@ -64,6 +64,7 @@ def run_host(ip)
         proxies: datastore['PROXIES'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: datastore['Timeout'],
         max_send_size: datastore['TCP::max_send_size'],
         send_delay: datastore['TCP::send_delay'],
diff --git a/modules/auxiliary/scanner/vmware/vmauthd_login.rb b/modules/auxiliary/scanner/vmware/vmauthd_login.rb
@@ -72,6 +72,7 @@ def run_host(ip)
       proxies: datastore['PROXIES'],
       cred_details: cred_collection,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 30,
       max_send_size: datastore['TCP::max_send_size'],
       send_delay: datastore['TCP::send_delay'],
diff --git a/modules/auxiliary/scanner/vnc/vnc_login.rb b/modules/auxiliary/scanner/vnc/vnc_login.rb
@@ -77,6 +77,7 @@ def run_host(ip)
         proxies: datastore['PROXIES'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: datastore['ConnectTimeout'],
         max_send_size: datastore['TCP::max_send_size'],
         send_delay: datastore['TCP::send_delay'],
diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb
@@ -59,6 +59,7 @@ def run_host(ip)
       proxies: datastore["PROXIES"],
       cred_details: cred_collection,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 10,
     )
 
diff --git a/spec/lib/metasploit/framework/login_scanner/base_spec.rb b/spec/lib/metasploit/framework/login_scanner/base_spec.rb
@@ -0,0 +1,85 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/base'
+
+describe Metasploit::Framework::LoginScanner::Base do
+
+  let(:base_class) {
+    Class.new do
+      include Metasploit::Framework::LoginScanner::Base
+      def self.model_name
+        ActiveModel::Name.new(self, nil, 'base')
+      end
+    end
+  }
+
+  subject(:login_scanner) { base_class.new }
+
+  it { should respond_to :bruteforce_speed }
+
+  context 'validations' do
+    context 'bruteforce_speed' do
+      it 'is not valid for a non-number' do
+        login_scanner.bruteforce_speed = "a"
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:bruteforce_speed]).to include "is not a number"
+      end
+
+      it 'is not valid for a float' do
+        login_scanner.bruteforce_speed = "3.14"
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:bruteforce_speed]).to include "must be an integer"
+      end
+
+      it 'is not negative' do
+        login_scanner.bruteforce_speed = "-1"
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:bruteforce_speed]).to include "must be greater than or equal to 0"
+      end
+
+      it 'is not greater than five' do
+        login_scanner.bruteforce_speed = "6"
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:bruteforce_speed]).to include "must be less than or equal to 5"
+      end
+    end
+
+    it { should respond_to :sleep_time }
+
+    context '#sleep_time' do
+
+      context 'default' do
+        subject(:sleep_time) { base_class.new.sleep_time }
+        it 'defaults to zero' do
+          expect(sleep_time).to eq(0)
+        end
+      end
+
+      context 'set' do
+        subject(:sleep_time) {
+          klass = base_class.new
+          klass.bruteforce_speed = 0
+          klass.sleep_time
+        }
+        it 'is five minutes when bruteforce_speed is set to 0' do
+          expect(sleep_time).to eq(60 * 5)
+        end
+      end
+    end
+
+    it { should respond_to :sleep_between_attempts }
+
+    context '#sleep_between_attempts'
+    context 'default' do
+      subject(:sleep_between_attempts) { base_class.new.sleep_between_attempts }
+      it 'returns nothing' do
+        expect(sleep_between_attempts).to be_nil
+      end
+    end
+
+    context 'actually sleep a little' do
+      # I don't want to slow down the test, and I don't really know how
+      # to test a time interval anyway since rspec disables sleep. :(
+    end
+  end
+
+end
diff --git a/spec/lib/metasploit/framework/login_scanner/telnet_spec.rb b/spec/lib/metasploit/framework/login_scanner/telnet_spec.rb

Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,7 @@ def init_loginscanner(ip)`
`100`	`100`	`proxies: datastore["PROXIES"],`
`101`	`101`	`cred_details: @cred_collection,`
`102`	`102`	`stop_on_success: datastore['STOP_ON_SUCCESS'],`
	`103`	`+ bruteforce_speed: datastore['BRUTEFORCE_SPEED'],`
`103`	`104`	`connection_timeout: 5`
`104`	`105`	`)`
`105`	`106`
Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,7 @@ def init_loginscanner(ip)`
`82`	`82`	`proxies: datastore["PROXIES"],`
`83`	`83`	`cred_details: @cred_collection,`
`84`	`84`	`stop_on_success: datastore['STOP_ON_SUCCESS'],`
	`85`	`+ bruteforce_speed: datastore['BRUTEFORCE_SPEED'],`
`85`	`86`	`connection_timeout: 5`
`86`	`87`	`)`
`87`	`88`