rubocop check & msftidy run clean. Minor updates.

Author: juushya

documentation/modules/auxiliary/scanner/http/epmp1000_web_login.md

@@ -2,7 +2,7 @@ This module scans for Cambium ePMP 1000 management login portal(s), and attempts
 
 ## Verification Steps
 
-1. Do: ```auxiliary/scanner/http/epmp1000_web_login```
+1. Do: ```use auxiliary/scanner/http/epmp1000_web_login```
 2. Do: ```set RHOSTS [IP]```
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```
@@ -11,45 +11,6 @@ This module scans for Cambium ePMP 1000 management login portal(s), and attempts
 
   ```
 msf > use auxiliary/scanner/http/epmp1000_web_login
-msf auxiliary(epmp1000_web_login) > info
-
-       Name: Cambium ePMP 1000 Login Scanner
-     Module: auxiliary/scanner/http/epmp1000_web_login
-    License: Metasploit Framework License (BSD)
-       Rank: Normal
-
-Provided by:
-  Karn Ganeshen <[email protected]>
-
-Basic options:
-  Name              Current Setting  Required  Description
-  ----              ---------------  --------  -----------
-  BLANK_PASSWORDS   false            no        Try blank passwords for all users
-  BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
-  DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
-  DB_ALL_PASS       false            no        Add all passwords in the current database to the list
-  DB_ALL_USERS      false            no        Add all users in the current database to the list
-  PASSWORD          admin            no        A specific password to authenticate with
-  PASS_FILE                          no        File containing passwords, one per line
-  Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
-  RHOSTS                             yes       The target address range or CIDR identifier
-  RPORT             80               yes       The target port
-  SSL               false            no        Negotiate SSL/TLS for outgoing connections
-  STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
-  THREADS           1                yes       The number of concurrent threads
-  USERNAME          admin            no        A specific username to authenticate as
-  USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
-  USER_AS_PASS      false            no        Try the username as the password for all users
-  USER_FILE                          no        File containing usernames, one per line
-  VERBOSE           true             yes       Whether to print output for all attempts
-  VHOST                              no        HTTP server virtual host
-
-Description:
-  This module scans for Cambium ePMP 1000 management login portal(s), 
-  and attempts to identify valid credentials. Default login 
-  credentials are - admin/admin, installer/installer, home/home and 
-  readonly/readonly.
-
 msf auxiliary(epmp1000_web_login) > set rhosts 1.2.3.4
 msf auxiliary(epmp1000_web_login) > set username installer
 msf auxiliary(epmp1000_web_login) > set password installer

modules/auxiliary/scanner/http/epmp1000_web_login.rb

@@ -15,22 +15,23 @@ def initialize(info={})
     super(update_info(info,
       'Name'        => 'Cambium ePMP 1000 Login Scanner',
       'Description' => %{
-        This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials. Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly.
+        This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials. Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly. Tested versions <=3.2.1 (current version). This should work fine for any future releases.
       },
       'Author'         =>
         [
-          'Karn Ganeshen <KarnGaneshen[at]gmail.com>',
+          'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
         ],
       'License'        => MSF_LICENSE,
-      'DefaultOptions' => { 'VERBOSE' => true }
-    ))
+      'DefaultOptions' => { 'VERBOSE' => true })
+    )
 
     register_options(
-    [
-      Opt::RPORT(80),	# Application may run on a different port too. Change port accordingly.
-      OptString.new('USERNAME', [false, "A specific username to authenticate as", "admin"]),
-      OptString.new('PASSWORD', [false, "A specific password to authenticate with", "admin"])
-    ], self.class)
+      [
+        Opt::RPORT(80),	# Application may run on a different port too. Change port accordingly.
+        OptString.new('USERNAME', [false, 'A specific username to authenticate as', 'admin']),
+        OptString.new('PASSWORD', [false, 'A specific password to authenticate with', 'admin'])
+      ], self.class
+    )
   end
 
   def run_host(ip)
@@ -78,16 +79,17 @@ def report_cred(opts)
   def is_app_epmp1000?
     begin
       res = send_request_cgi(
-      {
-        'uri'       => '/',
-        'method'    => 'GET'
-      })
+        {
+          'uri'       => '/',
+          'method'    => 'GET'
+        }
+      )
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
       print_error("#{rhost}:#{rport} - HTTP Connection Failed...")
       return false
     end
 
-    if (res and res.code == 200 and res.headers['Server'] and (res.headers['Server'].include?("Cambium HTTP Server") or res.body.include?("cambiumnetworks.com")))
+    if (res && res.code == 200 && res.headers['Server'] && (res.headers['Server'].include?('Cambium HTTP Server') || res.body.include?('cambiumnetworks.com')))
 
       get_epmp_ver = res.body.match(/"sw_version">([^<]*)/)
       epmp_ver = get_epmp_ver[1]
@@ -114,73 +116,72 @@ def do_login(user, pass)
     begin
 
       res = send_request_cgi(
-      {
-        'uri'       => '/cgi-bin/luci',
-        'method'    => 'POST',
-        'headers'   => {'X-Requested-With' => 'XMLHttpRequest','Accept'	=> 'application/json, text/javascript, */*; q=0.01'},
-        'vars_post' =>
-          {
-            'username' => 'dashboard',
-            'password' => ''
-          }
-      })
-
-rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
+        {
+          'uri'       => '/cgi-bin/luci',
+          'method'    => 'POST',
+          'headers'   => { 'X-Requested-With' => 'XMLHttpRequest', 'Accept'	=> 'application/json, text/javascript, */*; q=0.01' },
+          'vars_post' =>
+            {
+              'username' => 'dashboard',
+              'password' => ''
+            }
+        }
+      )
+
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
 
       vprint_error("#{rhost}:#{rport} - HTTP Connection Failed...")
       return :abort
 
     end
 
-    if (res and res.code == 200 and res.headers.include?("Set-Cookie") and res.headers['Set-Cookie'].include?("sysauth"))
+    if (res && res.code == 200 && res.headers.include?('Set-Cookie') && res.headers['Set-Cookie'].include?('sysauth'))
 
       get_cookie = res.headers['Set-Cookie']
       get_stok = res.headers['Set-Cookie'].match(/stok=(.*)/)
       stok_value = get_stok[1]
       sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/)
-      cookie1 = "#{sysauth_value}; "+"globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D"
+      cookie1 = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D"
 
       res = send_request_cgi(
-      {
-        'uri'       => '/cgi-bin/luci',
-        'method'    => 'POST',
-        'cookie'    => cookie1,
-        'headers'   => {
-           'X-Requested-With' => 'XMLHttpRequest',
-           'Accept'	      => 'application/json, text/javascript, */*; q=0.01',
-           'Connection'	      => 'close'
-        },
-        'vars_post' =>
-          {
-            'username' => user,
-            'password' => pass
-          }
-      })
+        {
+          'uri'       => '/cgi-bin/luci',
+          'method'    => 'POST',
+          'cookie'    => cookie1,
+          'headers'   => { 'X-Requested-With' => 'XMLHttpRequest', 'Accept' => 'application/json, text/javascript, */*; q=0.01', 'Connection' => 'close' },
+          'vars_post' =>
+            {
+              'username' => user,
+              'password' => pass
+            }
+        }
+      )
 
     end
 
-    if (res and res.code == 200 and res.headers.include?("Set-Cookie") and res.headers['Set-Cookie'].include?("stok="))
+    if (res && res.code == 200 && res.headers.include?('Set-Cookie') && res.headers['Set-Cookie'].include?('stok='))
 
       print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
 
-  #
-  # Extract ePMP version
-  #
+     #
+     # Extract ePMP version
+     #
       res = send_request_cgi(
-      {
-        'uri'       => '/',
-        'method'    => 'GET'
-      })
+        {
+          'uri' => '/',
+          'method' => 'GET'
+        }
+      )
 
       get_epmp_ver = res.body.match(/"sw_version">([^<]*)/)
       epmp_ver = get_epmp_ver[1]
 
       report_cred(
-              ip: rhost,
-              port: rport,
-              service_name: "Cambium ePMP 1000 version #{epmp_ver}",
-              user: user,
-              password: pass
+        ip: rhost,
+        port: rport,
+        service_name: "Cambium ePMP 1000 version #{epmp_ver}",
+        user: user,
+        password: pass
       )
 
     else