Land rapid7#4540, resolves rapid7#4532, honour DB_ALL_* options

Meatballs1 · Meatballs1 · commit bdbb26ba3148 · 2015-01-07T21:12:23.000Z
diff --git a/lib/metasploit/framework/credential_collection.rb b/lib/metasploit/framework/credential_collection.rb
@@ -2,6 +2,18 @@
 
 class Metasploit::Framework::CredentialCollection
 
+  # @!attribute additional_privates
+  #   Additional privates to be combined
+  #
+  #   @return [Array<String>]
+  attr_accessor :additional_privates
+
+  # @!attribute additional_publics
+  #   Additional public to be combined
+  #
+  #   @return [Array<String>]
+  attr_accessor :additional_publics
+
   # @!attribute blank_passwords
   #   Whether each username should be tried with a blank password
   #   @return [Boolean]
@@ -59,7 +71,27 @@ def initialize(opts = {})
     opts.each do |attribute, value|
       public_send("#{attribute}=", value)
     end
-    self.prepended_creds ||= []
+    self.prepended_creds     ||= []
+    self.additional_privates ||= []
+    self.additional_publics  ||= []
+  end
+
+  # Adds a string as an addition private credential
+  # to be combined in the collection.
+  #
+  # @param [String] :private_str the string to use as a private
+  # @return [void]
+  def add_private(private_str='')
+    additional_privates << private_str
+  end
+
+  # Adds a string as an addition public credential
+  # to be combined in the collection.
+  #
+  # @param [String] :public_str the string to use as a public
+  # @return [void]
+  def add_public(public_str='')
+    additional_publics << public_str
   end
 
   # Add {Credential credentials} that will be yielded by {#each}
@@ -101,6 +133,9 @@ def each
         end
         pass_fd.seek(0)
       end
+      additional_privates.each do |add_private|
+        yield Metasploit::Framework::Credential.new(public: username, private: add_private, realm: realm, private_type: private_type(add_private))
+      end
     end
 
     if user_file.present?
@@ -123,6 +158,9 @@ def each
             end
             pass_fd.seek(0)
           end
+          additional_privates.each do |add_private|
+            yield Metasploit::Framework::Credential.new(public: user_from_file, private: add_private, realm: realm, private_type: private_type(add_private))
+          end
         end
       end
     end
@@ -141,6 +179,28 @@ def each
       end
     end
 
+    additional_publics.each do |add_public|
+      if password.present?
+        yield Metasploit::Framework::Credential.new(public: add_public, private: password, realm: realm, private_type: private_type(password) )
+      end
+      if user_as_pass
+        yield Metasploit::Framework::Credential.new(public: add_public, private: user_from_file, realm: realm, private_type: :password)
+      end
+      if blank_passwords
+        yield Metasploit::Framework::Credential.new(public: add_public, private: "", realm: realm, private_type: :password)
+      end
+      if pass_fd
+        pass_fd.each_line do |pass_from_file|
+          pass_from_file.chomp!
+          yield Metasploit::Framework::Credential.new(public: add_public, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
+        end
+        pass_fd.seek(0)
+      end
+      additional_privates.each do |add_private|
+        yield Metasploit::Framework::Credential.new(public: add_public, private: add_private, realm: realm, private_type: private_type(add_private))
+      end
+    end
+
   ensure
     pass_fd.close if pass_fd && !pass_fd.closed?
   end
diff --git a/lib/msf/core/auxiliary/auth_brute.rb b/lib/msf/core/auxiliary/auth_brute.rb
@@ -49,17 +49,57 @@ def setup
     @@max_per_service = nil
   end
 
+  # Yields each {Metasploit::Credential::Core} in the {Mdm::Workspace} with
+  # a private type of 'ntlm_hash'
+  #
+  # @yieldparam [Metasploit::Credential::Core]
+  def each_ntlm_cred
+    creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::NTLMHash' }, workspace_id: myworkspace.id)
+    creds.each do |cred|
+      yield cred
+    end
+  end
+
+  # Yields each {Metasploit::Credential::Core} in the {Mdm::Workspace} with
+  # a private type of 'password'
+  #
+  # @yieldparam [Metasploit::Credential::Core]
+  def each_password_cred
+    creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::Password' }, workspace_id: myworkspace.id)
+    creds.each do |cred|
+      yield cred
+    end
+  end
+
+  # Yields each {Metasploit::Credential::Core} in the {Mdm::Workspace} with
+  # a private type of 'ssh_key'
+  #
+  # @yieldparam [Metasploit::Credential::Core]
+  def each_ssh_cred
+    creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::SSHKey' }, workspace_id: myworkspace.id)
+    creds.each do |cred|
+      yield cred
+    end
+  end
+
+  # Checks whether we should be adding creds from the DB to a CredCollection
+  #
+  # @return [TrueClass] if any of the datastore options for db creds are selected and the db is active
+  # @return [FalseClass] if none of the datastore options are selected OR the db is not active
+  def prepend_db_creds?
+    (datastore['DB_ALL_CREDS'] || datastore['DB_ALL_PASS'] || datastore['DB_ALL_USERS']) && framework.db.active
+  end
+
   # This method takes a {Metasploit::Framework::CredentialCollection} and prepends existing NTLMHashes
   # from the database. This allows the users to use the DB_ALL_CREDS option.
   #
   # @param cred_collection [Metasploit::Framework::CredentialCollection]
   #   the credential collection to add to
   # @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
   def prepend_db_hashes(cred_collection)
-    if datastore['DB_ALL_CREDS'] && framework.db.active
-      creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::NTLMHash' }, workspace_id: myworkspace.id)
-      creds.each do |cred|
-        cred_collection.prepend_cred(cred.to_credential)
+    if prepend_db_creds?
+      each_ntlm_cred do |cred|
+        process_cred_for_collection(cred_collection,cred)
       end
     end
     cred_collection
@@ -72,10 +112,9 @@ def prepend_db_hashes(cred_collection)
   #    the credential collection to add to
   # @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
   def prepend_db_keys(cred_collection)
-    if datastore['DB_ALL_CREDS'] && framework.db.active
-      creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::SSHKey' }, workspace_id: myworkspace.id)
-      creds.each do |cred|
-        cred_collection.prepend_cred(cred.to_credential)
+    if prepend_db_creds?
+      each_ssh_cred do |cred|
+        process_cred_for_collection(cred_collection,cred)
       end
     end
     cred_collection
@@ -88,15 +127,27 @@ def prepend_db_keys(cred_collection)
   #    the credential collection to add to
   # @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
   def prepend_db_passwords(cred_collection)
-    if datastore['DB_ALL_CREDS'] && framework.db.active
-      creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::Password' }, workspace_id: myworkspace.id)
-      creds.each do |cred|
-        cred_collection.prepend_cred(cred.to_credential)
+    if prepend_db_creds?
+      each_password_cred do |cred|
+        process_cred_for_collection(cred_collection,cred)
       end
     end
     cred_collection
   end
 
+  # Takes a {Metasploit::Credential::Core} and converts it into a
+  # {Metasploit::Framework::Credential} and processes it into the
+  # {Metasploit::Framework::CredentialCollection} as dictated by the
+  # selected datastore options.
+  #
+  # @param [Metasploit::Framework::CredentialCollection] the credential collection to add to
+  # @param [Metasploit::Credential::Core] the Credential Core to process
+  def process_cred_for_collection(cred_collection, cred)
+    msf_cred = cred.to_credential
+    cred_collection.prepend_cred(msf_cred) if datastore['DB_ALL_CREDS']
+    cred_collection.add_private(msf_cred.private) if datastore['DB_ALL_PASS']
+    cred_collection.add_public(msf_cred.public) if datastore['DB_ALL_USERS']
+  end
 
 
   # Checks all three files for usernames and passwords, and combines them into
