Merge pull request rapid7#3689 from TomSellers/loginpalooza/vmauthd-creds-update

dmaloney-r7 · dmaloney-r7 · commit 8d26b66e2fa9 · 2014-08-26T18:43:12.000-05:00
Credential Gem: LoginScanner - vmauthd_login ( Rebase of PR 3608)
diff --git a/lib/metasploit/framework/login_scanner/vmauthd.rb b/lib/metasploit/framework/login_scanner/vmauthd.rb
@@ -0,0 +1,112 @@
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+require 'metasploit/framework/tcp/client'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with vmware-auth.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class VMAUTHD
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Tcp::Client
+
+        DEFAULT_PORT         = 902
+        LIKELY_PORTS         = [ DEFAULT_PORT, 903, 912 ]
+        LIKELY_SERVICE_NAMES = [ 'vmauthd', 'vmware-auth' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = nil
+
+        # This method attempts a single login with a single credential against the target
+        # @param credential [Credential] The credential object to attempt to login with
+        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
+        def attempt_login(credential)
+          result_options = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            proof: nil,
+            host: host,
+            port: port,
+            service_name: 'vmauthd',
+            protocol: 'tcp'
+          }
+
+          disconnect if self.sock
+
+          begin
+            connect
+            select([sock], nil, nil, 0.4)
+
+            # Check to see if we received an OK?
+            result_options[:proof] = sock.get_once
+            if result_options[:proof] && result_options[:proof][/^220 VMware Authentication Daemon Version.*/]
+              # Switch to SSL if required
+              swap_sock_plain_to_ssl(sock) if result_options[:proof] && result_options[:proof][/SSL/]
+
+              # If we received an OK we should send the USER
+              sock.put("USER #{credential.public}\r\n")
+              result_options[:proof] = sock.get_once
+
+              if result_options[:proof] && result_options[:proof][/^331.*/]
+                # If we got an OK after the username we can send the PASS
+                sock.put("PASS #{credential.private}\r\n")
+                result_options[:proof] = sock.get_once
+
+                if result_options[:proof] && result_options[:proof][/^230.*/]
+                  # if the pass gives an OK, we're good to go
+                  result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+                end
+              end
+            end
+
+          rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
+            result_options.merge!(
+              proof: e.message,
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            )
+          end
+
+          disconnect if self.sock
+
+          Result.new(result_options)
+        end
+
+        private
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
+        end
+
+        def swap_sock_plain_to_ssl(nsock=self.sock)
+          ctx =  generate_ssl_context
+          ssl = OpenSSL::SSL::SSLSocket.new(nsock, ctx)
+
+          ssl.connect
+
+          nsock.extend(Rex::Socket::SslTcp)
+          nsock.sslsock = ssl
+          nsock.sslctx  = ctx
+        end
+
+        def generate_ssl_context
+          ctx = OpenSSL::SSL::SSLContext.new(:SSLv3)
+          @@cached_rsa_key ||= OpenSSL::PKey::RSA.new(1024){}
+
+          ctx.key = @@cached_rsa_key
+
+          ctx.session_id_context = Rex::Text.rand_text(16)
+
+          ctx
+        end
+      end
+
+    end
+  end
+end
diff --git a/modules/auxiliary/scanner/vmware/vmauthd_login.rb b/modules/auxiliary/scanner/vmware/vmauthd_login.rb
@@ -4,6 +4,8 @@
 ##
 
 require 'msf/core/exploit/tcp'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/vmauthd'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -33,103 +35,67 @@ def initialize
   end
 
   def run_host(ip)
-    begin
-
-    connect rescue nil
-    if not self.sock
-      print_error "#{rhost}:#{rport} Could not connect to vmauthd"
-      return
-    end
-
-    banner = sock.get_once(-1, 10)
-    if not banner
-      print_error "#{rhost}:#{rport} No banner received from vmauthd"
-      return
-    end
-
-    banner = banner.strip
-    print_status "#{rhost}:#{rport} Banner: #{banner}"
-
-    unless banner =~ /VMware Authentication Daemon/
-      print_error "#{rhost}:#{rport} This does not appear to be a vmauthd service"
-      return
-    end
+    print_brute :ip => ip, :msg => 'Starting bruteforce'
 
-    if banner =~ /SSL/
-      print_status("#{rhost}:#{rport} Switching to SSL connection...")
-      swap_sock_plain_to_ssl
-    end
-
-    each_user_pass do |user, pass|
-      result = do_login(user, pass)
-      case result
-      when :failed
-        print_error("#{rhost}:#{rport} vmauthd login FAILED - #{user}:#{pass}")
-      when :success
-        print_good("#{rhost}:#{rport} vmauthd login SUCCESS - #{user}:#{pass}")
-        report_auth_info(
-          :host   => rhost,
-          :port   => rport,
-          :sname  => 'vmauthd',
-          :user   => user,
-          :pass   => pass,
-          :source_type => "user_supplied",
-          :active => true
-        )
-        return if datastore['STOP_ON_SUCCESS']
-      else
-        print_error("#{rhost}:#{rport} Error: #{result}")
+    # Peform a sanity check to ensure that our target is vmauthd before
+    # attempting to brute force it.
+    begin
+      connect rescue nil
+      if !self.sock
+        print_brute :level => :verror, :ip => ip, :msg => 'Could not connect'
+        return
+      end
+      banner = sock.get_once(-1, 10)
+      if !banner || !banner =~ /^220 VMware Authentication Daemon Version.*/
+        print_brute :level => :verror, :ip => ip, :msg => 'Target does not appear to be a vmauthd service'
+        return
       end
-    end
 
-    rescue ::Interrupt
-      raise $!
+      rescue ::Interrupt
+      raise $ERROR_INFO
     ensure
       disconnect
     end
 
-  end
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file: datastore['PASS_FILE'],
+      password: datastore['PASSWORD'],
+      user_file: datastore['USER_FILE'],
+      userpass_file: datastore['USERPASS_FILE'],
+      username: datastore['USERNAME'],
+      user_as_pass: datastore['USER_AS_PASS']
+    )
+    scanner = Metasploit::Framework::LoginScanner::VMAUTHD.new(
+      host: ip,
+      port: rport,
+      proxies: datastore['PROXIES'],
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      connection_timeout: 30
+    )
 
-  def do_login(user, pass, nsock=self.sock)
-    nsock.put("USER #{user}\r\n")
-    res = nsock.get_once
-    unless res.start_with? "331"
-      ret_msg = "Unexpected reply to the USER command: #{res}"
-      return ret_msg
-    end
-    nsock.put("PASS #{pass}\r\n")
-    res = nsock.get_once || ''
-    if res.start_with? "530"
-      return :failed
-    elsif res.start_with? "230"
-      return :success
-    else
-      ret_msg = "Unexpected reply to the PASS command: #{res}"
-      return ret_msg
+    scanner.scan! do |result|
+      credential_data = result.to_h
+      credential_data.merge!(
+          module_fullname: self.fullname,
+          workspace_id: myworkspace_id
+      )
+      case result.status
+        when Metasploit::Model::Login::Status::SUCCESSFUL
+          print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}' '#{result.proof.to_s.gsub(/[\r\n\e\b\a]/, ' ')}'"
+          credential_core = create_credential(credential_data)
+          credential_data[:core] = credential_core
+          create_credential_login(credential_data)
+          :next_user
+        when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+          print_brute :level => :verror, :ip => ip, :msg => 'Could not connect'
+          invalidate_login(credential_data)
+          :abort
+        when Metasploit::Model::Login::Status::INCORRECT
+          print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}' #{result.proof}"
+          invalidate_login(credential_data)
+      end
     end
   end
-
-  def swap_sock_plain_to_ssl(nsock=self.sock)
-    ctx =  generate_ssl_context()
-    ssl = OpenSSL::SSL::SSLSocket.new(nsock, ctx)
-
-    ssl.connect
-
-    nsock.extend(Rex::Socket::SslTcp)
-    nsock.sslsock = ssl
-    nsock.sslctx  = ctx
-  end
-
-  def generate_ssl_context
-    ctx = OpenSSL::SSL::SSLContext.new(:SSLv3)
-    @@cached_rsa_key ||= OpenSSL::PKey::RSA.new(1024){ }
-
-    ctx.key = @@cached_rsa_key
-
-    ctx.session_id_context = Rex::Text.rand_text(16)
-
-    return ctx
-  end
-
-
 end
diff --git a/spec/lib/metasploit/framework/login_scanner/vmauthd_spec.rb b/spec/lib/metasploit/framework/login_scanner/vmauthd_spec.rb
@@ -0,0 +1,46 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/vmauthd'
+
+describe Metasploit::Framework::LoginScanner::VMAUTHD do
+  subject(:scanner) { described_class.new }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: false, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+  context "#attempt_login" do
+
+    let(:pub_blank) do
+      Metasploit::Framework::Credential.new(
+        paired: true,
+        public: "public",
+        private: ''
+      )
+    end
+    context "Raised Exceptions" do
+      it "Rex::ConnectionError should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+        expect(scanner).to receive(:connect).and_raise(Rex::ConnectionError)
+        result = scanner.attempt_login(pub_blank)
+
+        expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+        expect(result.status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+      end
+
+      it "Timeout::Error should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+        expect(scanner).to receive(:connect).and_raise(Timeout::Error)
+        result = scanner.attempt_login(pub_blank)
+
+        expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+        expect(result.status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+      end
+
+      it "EOFError should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+        expect(scanner).to receive(:connect).and_raise(EOFError)
+        result = scanner.attempt_login(pub_blank)
+
+        expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+        expect(result.status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+      end
+    end
+
+  end
+end
