Land rapid7#3746, reinstate DB_ALL_CREDS

Author: egypt

lib/msf/core/auxiliary/auth_brute.rb

@@ -49,6 +49,53 @@ def setup
     @@max_per_service = nil
   end
 
+  # This method takes a {Metasploit::Framework::CredentialCollection} and prepends existing NTLMHashes
+  # from the database. This allows the users to use the DB_ALL_CREDS option.
+  #
+  # @param [Metasploit::Framework::CredentialCollection]  the credential collection to add to
+  # @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
+  def prepend_db_hashes(cred_collection)
+    if datastore['DB_ALL_CREDS'] && framework.db.active
+      creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::NTLMHash' }, workspace_id: myworkspace.id)
+      creds.each do |cred|
+        cred_collection.prepend_cred(cred.to_credential)
+      end
+    end
+    cred_collection
+  end
+
+  # This method takes a {Metasploit::Framework::CredentialCollection} and prepends existing SSHKeys
+  # from the database. This allows the users to use the DB_ALL_CREDS option.
+  #
+  # @param [Metasploit::Framework::CredentialCollection]  the credential collection to add to
+  # @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
+  def prepend_db_keys(cred_collection)
+    if datastore['DB_ALL_CREDS'] && framework.db.active
+      creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::SSHKey' }, workspace_id: myworkspace.id)
+      creds.each do |cred|
+        cred_collection.prepend_cred(cred.to_credential)
+      end
+    end
+    cred_collection
+  end
+
+  # This method takes a {Metasploit::Framework::CredentialCollection} and prepends existing Password Credentials
+  # from the database. This allows the users to use the DB_ALL_CREDS option.
+  #
+  # @param [Metasploit::Framework::CredentialCollection]  the credential collection to add to
+  # @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
+  def prepend_db_passwords(cred_collection)
+    if datastore['DB_ALL_CREDS'] && framework.db.active
+      creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::Password' }, workspace_id: myworkspace.id)
+      creds.each do |cred|
+        cred_collection.prepend_cred(cred.to_credential)
+      end
+    end
+    cred_collection
+  end
+
+
+
   # Checks all three files for usernames and passwords, and combines them into
   # one credential list to apply against the supplied block. The block (usually
   # something like do_login(user,pass) ) is responsible for actually recording

modules/auxiliary/scanner/afp/afp_login.rb

@@ -54,6 +54,8 @@ def run_host(ip)
         user_as_pass: datastore['USER_AS_PASS'],
     )
 
+    cred_collection = prepend_db_passwords(cred_collection)
+
     scanner = Metasploit::Framework::LoginScanner::AFP.new(
         host: ip,
         port: rport,

modules/auxiliary/scanner/db2/db2_auth.rb

@@ -52,6 +52,8 @@ def run_host(ip)
         realm: datastore['DATABASE']
     )
 
+    cred_collection = prepend_db_passwords(cred_collection)
+
     scanner = Metasploit::Framework::LoginScanner::DB2.new(
         host: ip,
         port: rport,

modules/auxiliary/scanner/ftp/ftp_login.rb

@@ -66,6 +66,8 @@ def run_host(ip)
         prepended_creds: anonymous_creds
     )
 
+    cred_collection = prepend_db_passwords(cred_collection)
+
     scanner = Metasploit::Framework::LoginScanner::FTP.new(
         host: ip,
         port: rport,

modules/auxiliary/scanner/http/axis_login.rb

@@ -72,6 +72,8 @@ def run_host(ip)
       user_as_pass: datastore['USER_AS_PASS'],
     )
 
+    cred_collection = prepend_db_passwords(cred_collection)
+
     scanner = Metasploit::Framework::LoginScanner::Axis2.new(
       host: ip,
       port: rport,

modules/auxiliary/scanner/http/http_login.rb

@@ -129,6 +129,8 @@ def run_host(ip)
       user_as_pass: datastore['USER_AS_PASS'],
     )
 
+    cred_collection = prepend_db_passwords(cred_collection)
+
     scanner = Metasploit::Framework::LoginScanner::HTTP.new(
       host: ip,
       port: rport,

modules/auxiliary/scanner/http/tomcat_mgr_login.rb

@@ -103,13 +103,17 @@ def run_host(ip)
         user_as_pass: datastore['USER_AS_PASS'],
     )
 
+    cred_collection = prepend_db_passwords(cred_collection)
+
     scanner = Metasploit::Framework::LoginScanner::Tomcat.new(
         host: ip,
         port: rport,
         proxies: datastore['PROXIES'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
-        connection_timeout: 10
+        connection_timeout: 10,
+        user_agent: datastore['UserAgent'],
+        vhost: datastore['VHOST']
     )
 
     scanner.scan! do |result|

modules/auxiliary/scanner/mssql/mssql_login.rb

@@ -43,6 +43,8 @@ def run_host(ip)
         realm: datastore['DOMAIN']
     )
 
+    cred_collection = prepend_db_passwords(cred_collection)
+
     scanner = Metasploit::Framework::LoginScanner::MSSQL.new(
         host: ip,
         port: rport,

modules/auxiliary/scanner/mysql/mysql_login.rb

@@ -47,6 +47,8 @@ def run_host(ip)
             user_as_pass: datastore['USER_AS_PASS'],
         )
 
+        cred_collection = prepend_db_passwords(cred_collection)
+
         scanner = Metasploit::Framework::LoginScanner::MySQL.new(
             host: ip,
             port: rport,

modules/auxiliary/scanner/pop3/pop3_login.rb

@@ -62,6 +62,8 @@ def run_host(ip)
       user_as_pass: datastore['USER_AS_PASS'],
     )
 
+    cred_collection = prepend_db_passwords(cred_collection)
+
     scanner = Metasploit::Framework::LoginScanner::POP3.new(
       host: ip,
       port: rport,