remove brocade_telnet scanner, extend telnet

Rather than duplicate the entire telnet scanner, add a pre-login hook that a
module can use to extend the behavior on connect. This also adds a local
pass-through print_error method like http has.

Author: Brent Cook

lib/metasploit/framework/login_scanner/brocade_telnet.rb

@@ -30,6 +30,11 @@ class Telnet
         #
         #   @return [Fixnum]
         attr_accessor :telnet_timeout
+        # @!attribute verbosity
+        #   Prepend code to call before checking for a user login
+        #
+        #   @return [Proc]
+        attr_accessor :pre_login
 
         validates :banner_timeout,
                   presence: true,
@@ -66,6 +71,10 @@ def attempt_login(credential)
             end
 
             unless result_options[:status]
+              if pre_login
+                pre_login.call(self)
+              end
+
               unless password_prompt?
                 send_user(credential.public)
               end
@@ -108,13 +117,18 @@ def set_sane_defaults
           self.port               ||= DEFAULT_PORT
           self.banner_timeout     ||= 25
           self.telnet_timeout     ||= 10
+          self.pre_login          ||= nil
           self.connection_timeout ||= 30
           self.max_send_size      ||= 0
           self.send_delay         ||= 0
           # Shim to set up the ivars from the old Login mixin
           create_login_ivars
         end
 
+        def print_error( message )
+          return if !@parent
+          @parent.print_error message
+        end
       end
     end
   end

lib/metasploit/framework/login_scanner/telnet.rb

@@ -6,7 +6,7 @@
 require 'msf/core'
 require 'rex'
 require 'metasploit/framework/credential_collection'
-require 'metasploit/framework/login_scanner/brocade_telnet'
+require 'metasploit/framework/login_scanner/telnet'
 
 class Metasploit4 < Msf::Auxiliary
 
@@ -20,16 +20,14 @@ def initialize
     super(
       'Name'        => 'Brocade Enable Login Check Scanner',
       'Description' => %q{
-        This module will test a Brocade network device for a privilged
-        (Enable) login on a range of machines and report successful
-        logins.  If you have loaded a database plugin and connected
-        to a database this module will record successful
-        logins and hosts so you can track your access.
-        This is not a login/telnet authentication.  Config should NOT
-        have 'enable telnet authentication' in it.  This will test the
-        config that contains 'aaa authentication enable default local'
-        Tested against:
-              ICX6450-24 SWver 07.4.00bT311
+        This module will test a range of Brocade network devices for a
+        privileged logins and report successes. The device authentication mode
+        must be set as 'aaa authentication enable default local'.
+        Telnet authentication, e.g. 'enable telnet authentication', should not
+        be enabled in the device configuration.
+
+        This module has been tested against the following devices:
+              ICX6450-24 SWver 07.4.00bT311,
               FastIron WS 624 SWver 07.2.02fT7e1
       },
       'Author'      => 'h00die <mike[at]shorebreaksecurity.com>',
@@ -48,25 +46,29 @@ def initialize
   end
 
   def get_username_from_config(un_list,ip)
-    ["config","running-config"].each do |command|
+    ["config", "running-config"].each do |command|
       print_status(" Attempting username gathering from #{command} on #{ip}")
-      sock.puts("\r\n") #ensure the buffer is clear
+      sock.puts("\r\n") # ensure that the buffer is clear
       config = sock.recv(1024)
       sock.puts("show #{command}\r\n")
+
+      # pull the entire config
       while true do
-        sock.puts(" \r\n") #paging
+        sock.puts(" \r\n") # paging
         config << sock.recv(1024)
-        #there seems to be some buffering issues. so we want to match that we're back at a prompt, as well as received the 'end' of the config.
+        # Read until we are back at a prompt and have received the 'end' of
+        # the config.
         break if config.match(/>$/) and config.match(/end/)
-      end #pull the entire config
+      end
+
       config.each_line do |un|
         if un.match(/^username/)
           found_username = un.split(" ")[1].strip
           un_list.push(found_username)
           print_status("   Found: #{found_username}@#{ip}")
-        end #username match
-      end #each line in config
-    end #end config/running-config loop
+        end
+      end
+    end
   end
 
   attr_accessor :no_pass_prompt
@@ -99,7 +101,7 @@ def run_host(ip)
 
       cred_collection = prepend_db_passwords(cred_collection)
 
-      scanner = Metasploit::Framework::LoginScanner::Brocade_Telnet.new(
+      scanner = Metasploit::Framework::LoginScanner::Telnet.new(
           host: ip,
           port: rport,
           proxies: datastore['PROXIES'],
@@ -111,6 +113,7 @@ def run_host(ip)
           send_delay: datastore['TCP::send_delay'],
           banner_timeout: datastore['TelnetBannerTimeout'],
           telnet_timeout: datastore['TelnetTimeout'],
+          pre_login: lambda{ |s| raw_send("enable\r\n", nsock = s.sock) },
           framework: framework,
           framework_module: self,
       )
@@ -121,6 +124,7 @@ def run_host(ip)
             module_fullname: self.fullname,
             workspace_id: myworkspace_id
         )
+
         if result.success?
           credential_core = create_credential(credential_data)
           credential_data[:core] = credential_core
@@ -132,7 +136,7 @@ def run_host(ip)
           print_error("#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})")
         end
       end
-    end #end un loop
+    end
   end
 
   def start_telnet_session(host, port, user, pass, scanner)