Merge branch 'aux-scan-openvas' of git://github.com/kost/metasploit-framework into kost-aux-scan-openvas

Author: sinn3r

modules/auxiliary/scanner/openvas/openvas_gsad_login.rb

@@ -0,0 +1,126 @@
+##
+# openvas_gsad_login.rb
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::AuthBrute
+
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'           => 'OpenVAS gsad Web interface Login Utility',
+			'Description'    => 'This module simply attempts to login to a OpenVAS gsad interface using a specific user/pass.',
+			'Author'         => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
+			'License'        => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				Opt::RPORT(443),
+				OptString.new('URI', [true, "URI for OpenVAS omp login. Default is /omp", "/omp"]),
+				OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]),
+				OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true])
+			], self.class)
+
+		register_advanced_options(
+		[
+			OptString.new('OMP_text', [true, "value for OpenVAS omp text login hidden field", "/omp?cmd=get_tasks&amp;overrides=1"]),
+			OptString.new('OMP_cmd', [true, "value for OpenVAS omp cmd login hidden field", "login"])
+		], self.class)
+	end
+
+	def run_host(ip)
+		begin
+			res = send_request_cgi({
+				'uri'     => datastore['URI'],
+				'method'  => 'GET'
+				}, 25)
+			http_fingerprint({ :response => res })
+		rescue ::Rex::ConnectionError => e
+			vprint_error("#{msg} #{datastore['URI']} - #{e}")
+			return
+		end
+
+		if not res
+			vprint_error("#{msg} #{datastore['URI']} - No response")
+			return
+		end
+		if res.code != 200
+			vprint_error("#{msg} - Expected 200 HTTP code - not gsad?")
+			return
+		end
+		if res.body !~ /Greenbone Security Assistant \(GSA\)/
+			vprint_error("#{msg} - Expected GSA keyword on page - not gsad?")
+			return
+		end
+
+		each_user_pass do |user, pass|
+			do_login(user, pass)
+		end
+	end
+
+	def do_login(user='openvas', pass='openvas')
+		vprint_status("#{msg} - Trying username:'#{user}' with password:'#{pass}'")
+		headers = {}
+		begin
+			res = send_request_cgi({
+				'encode'   => true,
+				'uri'      => datastore['URI'],
+				'method'   => 'POST',
+				'headers'  => headers,
+				'vars_post' => {
+					'cmd' => datastore['OMP_cmd'],
+					'text' => datastore['OMP_text'],
+					'login' => user,
+					'password' => pass
+				}
+			}, 25)
+
+		rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
+			print_error("#{msg} HTTP Connection Failed, Aborting")
+			return :abort
+		end
+
+		if not res
+			print_error("#{msg} HTTP Connection Error - res, Aborting")
+			return :abort
+		end
+
+		# vprint_status("#{msg} GOT BODY. '#{user}' : '#{pass}' - #{res.code} #{res.body}")
+
+		if res.code == 303
+			print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
+
+			report_hash = {
+				:host   => datastore['RHOST'],
+				:port   => datastore['RPORT'],
+				:sname  => 'openvas-gsa',
+				:user   => user,
+				:pass   => pass,
+				:active => true,
+				:type => 'password'}
+
+			report_auth_info(report_hash)
+			return :next_user
+		end
+		vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}'")
+		return :skip_pass
+	end
+
+	def msg
+		"#{vhost}:#{rport} OpenVAS gsad -"
+	end
+end

modules/auxiliary/scanner/openvas/openvas_omp_login.rb

@@ -0,0 +1,104 @@
+##
+# openvas_omp_login.rb
+##
+
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Auxiliary::Scanner
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::AuthBrute
+
+	def initialize
+	super(
+		'Name'        => 'OpenVAS OMP Login Utility',
+		'Description' => 'This module attempts to authenticate to an OpenVAS OMP service.',
+		'Author'         => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
+		'License'        => MSF_LICENSE
+	)
+	register_options(
+		[
+			Opt::RPORT(9390),
+			OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
+		], self.class)
+
+	register_advanced_options(
+	[
+		OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
+		OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"])
+	], self.class)
+	end
+
+	def run_host(ip)
+		begin
+			print_status("#{msg} Connecting and checking username and passwords")
+			each_user_pass do |user, pass|
+				do_login(user, pass)
+			end
+		rescue ::Rex::ConnectionError
+		rescue ::Exception => e
+			vprint_error("#{msg} #{e.to_s} #{e.backtrace}")
+		end
+	end
+
+	def omp_send(data=nil, con=true)
+		begin
+			@result=''
+			@coderesult=''
+			if (con)
+				@connected=false
+				connect
+				select(nil,nil,nil,0.4)
+			end
+			@connected=true
+			sock.put(data)
+			@result=sock.get_once
+		rescue ::Exception => err
+			print_error("#{msg} Error: #{err.to_s}")
+		end
+	end
+
+	def do_login(user=nil,pass=nil)
+		begin
+			vprint_status("#{msg} Trying user:'#{user}' with password:'#{pass}'")
+			cmd = "<authenticate><credentials><username>#{user}</username><password>#{pass}</password></credentials></authenticate><HELP/>\r\n"
+			omp_send(cmd,true) # send hello
+			if @result =~ /<authenticate_response.*status="200"/is
+				print_good("#{msg} SUCCESSFUL login for '#{user}' : '#{pass}'")
+				report_auth_info(
+					:host => rhost,
+					:port => rport,
+					:sname => 'openvas-omp',
+					:user => user,
+					:pass => pass,
+					:source_type => "user_supplied",
+					:active => true
+				)
+				disconnect
+				@connected = false
+				return :next_user
+			else
+				if (@connected)
+					disconnect # Sometime openvas disconnect the client after wrongs attempts
+					@connected = false
+				end
+				vprint_error("#{msg} Rejected user: '#{user}' with password: '#{pass}': #{@result}")
+				return :fail
+			end
+			rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+			rescue ::Timeout::Error, ::Errno::EPIPE
+		end
+	end
+
+	def msg
+		"#{rhost}:#{rport} OpenVAS OMP -"
+	end
+end

modules/auxiliary/scanner/openvas/openvas_otp_login.rb

@@ -0,0 +1,117 @@
+##
+# openvas_otp_login.rb
+##
+
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Auxiliary::Scanner
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::AuthBrute
+
+	def initialize
+	super(
+		'Name'        => 'OpenVAS OTP Login Utility',
+		'Description' => 'This module attempts to authenticate to an OpenVAS OTP service.',
+		'Author'         => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
+		'License'        => MSF_LICENSE
+	)
+	register_options(
+		[
+			Opt::RPORT(9391),
+			OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
+		], self.class)
+
+	register_advanced_options(
+	[
+		OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
+		OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"])
+	], self.class)
+	end
+
+	def run_host(ip)
+		begin
+			print_status("#{msg} Connecting and checking username and passwords")
+			each_user_pass do |user, pass|
+				do_login(user, pass)
+			end
+		rescue ::Rex::ConnectionError
+		rescue ::Exception => e
+			vprint_error("#{msg} #{e.to_s} #{e.backtrace}")
+		end
+	end
+
+	def otp_send(data=nil, con=true)
+		begin
+			@result=''
+			@coderesult=''
+			if (con)
+				@connected=false
+				connect
+				select(nil,nil,nil,0.4)
+			end
+			@connected=true
+			sock.put(data)
+			@result=sock.get_once
+		rescue ::Exception => err
+			print_error("#{msg} Error: #{err.to_s}")
+		end
+	end
+
+	def do_login(user=nil,pass=nil)
+		begin
+			otp_send("< OTP/1.0 >\n",true) # send hello
+			if @result !~ /\<\ OTP\/1\.0 \>/
+				print_error("#{msg} OpenVAS OTP does not appear to be running: did not get response to OTP hello: #{@result}")
+				return :abort
+			end
+
+			vprint_status("#{msg} Trying user:'#{user}' with password:'#{pass}'")
+			otp_send(nil,!@connected)
+			if @result !~ /User\ \:/
+				print_error("#{msg} OpenVAS OTP did not send User request: #{@result}")
+			end
+			otp_send("#{user}\n",!@connected)
+			if @result !~ /Password\ \:/
+				print_error("#{msg} OpenVAS OTP did not send Password request: #{@result}")
+			end
+			otp_send("#{pass}\n",!@connected)
+			if @result =~ /SERVER <|>.*<|> SERVER/is
+				print_good("#{msg} SUCCESSFUL login for '#{user}' : '#{pass}'")
+				report_auth_info(
+					:host => rhost,
+					:port => rport,
+					:sname => 'openvas-otp',
+					:user => user,
+					:pass => pass,
+					:source_type => "user_supplied",
+					:active => true
+				)
+				disconnect
+				@connected = false
+				return :next_user
+			else
+				if (@connected)
+					disconnect # Sometime openvas disconnect the client after wrongs attempts
+					@connected = false
+				end
+				vprint_error("#{msg} Rejected user: '#{user}' with password: '#{pass}': #{@result}")
+				return :fail
+			end
+			rescue ::Rex::ConnectionError
+			rescue ::Timeout::Error, ::Errno::EPIPE
+		end
+	end
+
+	def msg
+		"#{rhost}:#{rport} OpenVAS OTP -"
+	end
+end