Land #11927, Add Brocade post module and config parser
This commit is contained in:
commit
0ed09cc9bf
|
@ -0,0 +1,50 @@
|
|||
## General Notes
|
||||
|
||||
This module imports a Brocade configuration file into the database.
|
||||
This is similar to `post/brocade/gather/enum_brocade` only access isn't required,
|
||||
and assumes you already have the file.
|
||||
|
||||
Example files for import can be found on git, like [this](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf).
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Have a Brocade configuration file
|
||||
2. Start `msfconsole`
|
||||
3. `use auxiliary/admin/brocade/brocade_config`
|
||||
4. `set RHOST x.x.x.x`
|
||||
5. `set CONFIG /tmp/file.config`
|
||||
6. `run`
|
||||
|
||||
## Options
|
||||
|
||||
**RHOST**
|
||||
|
||||
Needed for setting services and items to. This is relatively arbitrary.
|
||||
|
||||
**CONFIG**
|
||||
|
||||
File path to the configuration file.
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf5 > wget https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf -o /dev/null -O /tmp/brocade.conf
|
||||
msf5 > use auxiliary/admin/brocade/brocade_config
|
||||
msf5 auxiliary(admin/brocade/brocade_config) > set rhosts 127.0.0.1
|
||||
rhosts => 127.0.0.1
|
||||
msf5 auxiliary(admin/brocade/brocade_config) > set config /tmp/brocade.conf
|
||||
config => /tmp/brocade.conf
|
||||
msf5 auxiliary(admin/brocade/brocade_config) > run
|
||||
[*] Running module against 127.0.0.1
|
||||
|
||||
[*] Importing config
|
||||
[+] password-display is enabled, hashes will be displayed in config
|
||||
[+] enable password hash $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm.
|
||||
[+] User brocade of type 8 found with password hash $1$f/uxhovU$dST5lNskZCPQe/5QijULi0.
|
||||
[+] ENCRYPTED SNMP community $MlVzZCFAbg== with permissions ro
|
||||
[+] ENCRYPTED SNMP community $U2kyXj1k with permissions rw
|
||||
[+] Config import successful
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
|
|
@ -0,0 +1,93 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module has been tested on the following hardware/OS combinations.
|
||||
|
||||
* Brocade ICX 6430-24
|
||||
* Firmware: 08.0.20T311
|
||||
|
||||
The ICX config can be found [no passwords](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_icx6430_nopass.conf),
|
||||
[hashes](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_icx6430_pass.conf)
|
||||
|
||||
This module will look for the follow parameters which contain credentials:
|
||||
|
||||
* FastIron
|
||||
* `show configuration`
|
||||
|
||||
!!! keep in mind 'password-display' http://wwwaem.brocade.com/content/html/en/command-reference-guide/fastiron-08040-commandref/GUID-169889CD-1A74-4A23-AC78-38796692374F.html
|
||||
!!! need to be able to give a password to enable
|
||||
|
||||
* super-user-password
|
||||
* username
|
||||
* SNMP
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Get a shell
|
||||
3. Do: ```use post/brocade/gather/enum_brocade```
|
||||
4. Do: ```set session [id]```
|
||||
5. Do: ```set verbose true```
|
||||
6. Do: ```run```
|
||||
|
||||
## Scenarios
|
||||
|
||||
### ICX 6430-24, FastIron 08.0.20T311
|
||||
|
||||
#### SSH Session with password-display off
|
||||
|
||||
```
|
||||
resource (brocade.rb)> use post/brocade/gather/enum_brocade
|
||||
resource (brocade.rb)> set session 1
|
||||
session => 1
|
||||
resource (brocade.rb)> set verbose true
|
||||
verbose => true
|
||||
resource (brocade.rb)> run
|
||||
[*] In a non-enabled cli
|
||||
[*] Getting version information
|
||||
[*] OS: 08.0.30hT311
|
||||
[+] Version information stored in to loot /root/.msf4/loot/20190601203656_default_10.0.4.51_brocade.version_751557.txt
|
||||
[*] Gathering info from show configuration
|
||||
[!] password-display is disabled, no password hashes displayed in config
|
||||
[*] Post module execution completed
|
||||
```
|
||||
|
||||
#### SSH Session with Enable run
|
||||
|
||||
```
|
||||
resource (brocade.rb)> use post/brocade/gather/enum_brocade
|
||||
resource (brocade.rb)> set session 1
|
||||
session => 1
|
||||
resource (brocade.rb)> set verbose true
|
||||
verbose => true
|
||||
[*] In an enabled cli
|
||||
[*] Getting version information
|
||||
[*] OS: 08.0.30hT311
|
||||
[+] Version information stored in to loot /root/.msf4/loot/20190601221921_default_10.0.4.51_brocade.version_839783.txt
|
||||
[*] Gathering info from show configuration
|
||||
[+] password-display is enabled, hashes will be displayed in config
|
||||
[+] enable password hash $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm.
|
||||
[+] User brocade of type 8 found with password hash $1$f/uxhovU$dST5lNskZCPQe/5QijULi0.
|
||||
[+] ENCRYPTED SNMP community $MlVzZCFAbg== with permissions ro
|
||||
[+] ENCRYPTED SNMP community $U2kyXj1k with permissions rw
|
||||
[*] Post module execution completed
|
||||
msf5 post(brocade/gather/enum_brocade) > loot
|
||||
|
||||
Loot
|
||||
====
|
||||
|
||||
host service type name content info path
|
||||
---- ------- ---- ---- ------- ---- ----
|
||||
10.0.4.51 brocade.version version.txt text/plain Brocade Version /root/.msf4/loot/20190601221959_default_10.0.4.51_brocade.version_003751.txt
|
||||
10.0.4.51 brocade.config config.txt text/plain Brocade Configuration /root/.msf4/loot/20190601222004_default_10.0.4.51_brocade.config_998514.txt
|
||||
|
||||
msf5 post(brocade/gather/enum_brocade) > creds
|
||||
Credentials
|
||||
===========
|
||||
|
||||
host origin service public private realm private_type
|
||||
---- ------ ------- ------ ------- ----- ------------
|
||||
10.0.4.51 10.0.4.51 22/tcp enable $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm. Nonreplayable hash
|
||||
10.0.4.51 10.0.4.51 161/udp (snmp) $MlVzZCFAbg== Nonreplayable hash
|
||||
10.0.4.51 10.0.4.51 161/udp (snmp) $U2kyXj1k Nonreplayable hash
|
||||
10.0.4.51 10.0.4.51 22/tcp brocade $1$f/uxhovU$dST5lNskZCPQe/5QijULi0 Nonreplayable hash
|
||||
```
|
|
@ -146,6 +146,12 @@ module Metasploit
|
|||
# Juniper JunOS CLI
|
||||
elsif proof =~ /unknown command: id/
|
||||
proof = ssh_socket.exec!("show version\n").split("\n")[2..4].join(", ").to_s
|
||||
# Brocade CLI
|
||||
elsif proof =~ /Invalid input -> id/ || proof =~ /Protocol error, doesn't start with scp\!/
|
||||
proof = ssh_socket.exec!("show version\n").to_s
|
||||
if proof =~ /Version:(?<os_version>.+).+HW: (?<hardware>)/mi
|
||||
proof = "Model: #{hardware}, OS: #{os_version}"
|
||||
end
|
||||
else
|
||||
proof << ssh_socket.exec!("help\n?\n\n\n").to_s
|
||||
end
|
||||
|
|
|
@ -0,0 +1,128 @@
|
|||
# -*- coding: binary -*-
|
||||
module Msf
|
||||
|
||||
###
|
||||
#
|
||||
# This module provides methods for working with Brocade equipment
|
||||
#
|
||||
###
|
||||
module Auxiliary::Brocade
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def create_credential_and_login(opts={})
|
||||
return nil unless active_db?
|
||||
|
||||
if self.respond_to?(:[]) and self[:task]
|
||||
opts[:task_id] ||= self[:task].record.id
|
||||
end
|
||||
|
||||
core = opts.fetch(:core, create_credential(opts))
|
||||
access_level = opts.fetch(:access_level, nil)
|
||||
last_attempted_at = opts.fetch(:last_attempted_at, nil)
|
||||
status = opts.fetch(:status, Metasploit::Model::Login::Status::UNTRIED)
|
||||
|
||||
login_object = nil
|
||||
retry_transaction do
|
||||
service_object = create_credential_service(opts)
|
||||
login_object = Metasploit::Credential::Login.where(core_id: core.id, service_id: service_object.id).first_or_initialize
|
||||
|
||||
if opts[:task_id]
|
||||
login_object.tasks << Mdm::Task.find(opts[:task_id])
|
||||
end
|
||||
|
||||
login_object.access_level = access_level if access_level
|
||||
login_object.last_attempted_at = last_attempted_at if last_attempted_at
|
||||
if status == Metasploit::Model::Login::Status::UNTRIED
|
||||
if login_object.last_attempted_at.nil?
|
||||
login_object.status = status
|
||||
end
|
||||
else
|
||||
login_object.status = status
|
||||
end
|
||||
login_object.save!
|
||||
end
|
||||
|
||||
login_object
|
||||
end
|
||||
|
||||
|
||||
def brocade_config_eater(thost, tport, config)
|
||||
# this is for brocade type devices.
|
||||
# It is similar to cisco
|
||||
# Docs: enable password-display -> http://wwwaem.brocade.com/content/html/en/command-reference-guide/fastiron-08040-commandref/GUID-169889CD-1A74-4A23-AC78-38796692374F.html
|
||||
|
||||
credential_data = {
|
||||
address: thost,
|
||||
port: tport,
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: self.fullname,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
|
||||
store_loot('brocade.config', 'text/plain', thost, config.strip, 'config.txt', 'Brocade Configuration')
|
||||
|
||||
# Brocade has this one configuration called "password display". With it, we get hashes. With out it, just ...
|
||||
if config =~ /enable password-display/
|
||||
print_good('password-display is enabled, hashes will be displayed in config')
|
||||
else
|
||||
print_bad('password-display is disabled, no password hashes displayed in config')
|
||||
end
|
||||
|
||||
# enable password
|
||||
# Example lines:
|
||||
# enable super-user-password 8 $1$QP3H93Wm$uxYAs2HmAK01QiP3ig5tm.
|
||||
config.scan(/enable super-user-password 8 (?<admin_password_hash>.+)/i).each do |result|
|
||||
admin_hash = result[0].strip
|
||||
unless admin_hash == '.....'
|
||||
print_good("enable password hash #{admin_hash}")
|
||||
cred = credential_data.dup
|
||||
cred[:username] = 'enable'
|
||||
cred[:private_data] = admin_hash
|
||||
cred[:private_type] = :nonreplayable_hash
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
end
|
||||
|
||||
# user account
|
||||
# Example lines:
|
||||
# username brocade password 8 $1$YBaHUWpr$PzeUrP0XmVOyVNM5rYy99/
|
||||
config.scan(/username "?(?<user_name>[a-z0-9]+)"? password (?<user_type>\w+) (?<user_hash>[0-9a-z=\$\/]{34})/i).each do |result|
|
||||
user_name = result[0].strip
|
||||
user_type = result[1].strip
|
||||
user_hash = result[2].strip
|
||||
unless user_hash == '.....'
|
||||
print_good("User #{user_name} of type #{user_type} found with password hash #{user_hash}.")
|
||||
cred = credential_data.dup
|
||||
cred[:username] = user_name
|
||||
cred[:private_data] = user_hash
|
||||
cred[:private_type] = :nonreplayable_hash
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
end
|
||||
|
||||
# snmp
|
||||
# Example lines:
|
||||
# snmp-server community 1 $Si2^=d rw
|
||||
# these at times look base64 encoded, which they may be, but are also encrypted
|
||||
config.scan(/snmp-server community (?<snmp_id>[\d]+) (?<snmp_community>.+) (?<snmp_permissions>rw|ro)/i).each do |result|
|
||||
snmp_community = result[1].strip
|
||||
snmp_permissions = result[2].strip
|
||||
unless snmp_community == '.....'
|
||||
print_good("#{'ENCRYPTED ' if snmp_community.start_with?('$')}SNMP community #{snmp_community} with permissions #{snmp_permissions}")
|
||||
cred = credential_data.dup
|
||||
cred[:protocol] = 'udp'
|
||||
cred[:port] = 161
|
||||
cred[:service_name] = 'snmp'
|
||||
cred[:private_data] = snmp_community
|
||||
cred[:private_type] = :nonreplayable_hash
|
||||
create_credential_and_login(cred)
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -21,6 +21,7 @@ require 'msf/core/auxiliary/login'
|
|||
require 'msf/core/auxiliary/rservices'
|
||||
require 'msf/core/auxiliary/cisco'
|
||||
require 'msf/core/auxiliary/juniper'
|
||||
require 'msf/core/auxiliary/brocade'
|
||||
require 'msf/core/auxiliary/kademlia'
|
||||
require 'msf/core/auxiliary/llmnr'
|
||||
require 'msf/core/auxiliary/mdns'
|
||||
|
|
|
@ -411,6 +411,14 @@ class Msf::Module::Platform
|
|||
Alias = "unifi"
|
||||
end
|
||||
|
||||
#
|
||||
# Brocade
|
||||
#
|
||||
class Brocade < Msf::Module::Platform
|
||||
Rank = 100
|
||||
Alias = "brocade"
|
||||
end
|
||||
|
||||
#
|
||||
# Solaris
|
||||
#
|
||||
|
|
|
@ -76,6 +76,7 @@ class Msf::Payload::UUID
|
|||
25 => 'apple_ios',
|
||||
26 => 'juniper',
|
||||
27 => 'unifi',
|
||||
28 => 'brocade',
|
||||
}
|
||||
|
||||
# The raw length of the UUID structure
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core/auxiliary/brocade'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Brocade
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'Brocade Configuration Importer',
|
||||
'Description' => %q{
|
||||
This module imports a Brocade device configuration.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'h00die'],
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPath.new('CONFIG', [true, 'Path to configuration to import']),
|
||||
Opt::RHOST(),
|
||||
Opt::RPORT(22)
|
||||
])
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
unless ::File.exist?(datastore['CONFIG'])
|
||||
fail_with Failure::BadConfig, "Brocade config file #{datastore['CONFIG']} does not exists!"
|
||||
end
|
||||
brocade_config = ::File.open(datastore['CONFIG'], "rb")
|
||||
print_status('Importing config')
|
||||
brocade_config_eater(datastore['RHOSTS'],datastore['RPORT'],brocade_config.read)
|
||||
print_good('Config import successful')
|
||||
end
|
||||
end
|
||||
|
||||
|
|
@ -0,0 +1,97 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core/auxiliary/brocade'
|
||||
|
||||
class MetasploitModule < Msf::Post
|
||||
include Msf::Auxiliary::Brocade
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'Brocade Gather Device General Information',
|
||||
'Description' => %q{
|
||||
This module collects Brocade device information and configuration.
|
||||
This module has been tested against an icx6430 running 08.0.20T311.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'h00die'],
|
||||
'Platform' => [ 'brocade'],
|
||||
'SessionTypes' => [ 'shell' ]
|
||||
))
|
||||
end
|
||||
|
||||
def run
|
||||
# Get device prompt
|
||||
prompt = session.shell_command("\n")
|
||||
|
||||
if prompt.end_with?('(config)#') # config shell
|
||||
vprint_status('In a config cli')
|
||||
session.shell_write("skip-page-display\n")
|
||||
session.shell_write("terminal length 0\n")
|
||||
elsif prompt.end_with?('#') # regular cli shell (non-config)
|
||||
vprint_status('In an enabled cli')
|
||||
session.shell_write("skip-page-display\n")
|
||||
session.shell_write("terminal length 0\n")
|
||||
elsif prompt.end_with?('>') # cli not enabled
|
||||
vprint_status('In a non-enabled cli')
|
||||
end
|
||||
|
||||
# attempt to disable paging, cli not enabled this will fail anyways
|
||||
session.shell_write("skip-page-display\n")
|
||||
session.shell_write("terminal length 0\n")
|
||||
|
||||
# Get version info
|
||||
print_status('Getting version information')
|
||||
version_out = session.shell_command("show version\n")
|
||||
if /^, Version: (?<ver>.+) | SW: Version (?<ver>.+) /i =~ version_out
|
||||
vprint_status("OS: #{ver}")
|
||||
end
|
||||
|
||||
ver_loc = store_loot('brocade.version',
|
||||
'text/plain',
|
||||
session,
|
||||
version_out.strip,
|
||||
'version.txt',
|
||||
'Brocade Version')
|
||||
|
||||
# Print the version of VERBOSE set to true.
|
||||
vprint_good("Version information stored in to loot #{ver_loc}")
|
||||
|
||||
# run additional information gathering
|
||||
enum_configs(prompt)
|
||||
end
|
||||
|
||||
# run commands found in exec mode under privilege 1
|
||||
def enum_configs(prompt)
|
||||
host,port = session.session_host, session.session_port
|
||||
exec_commands = [
|
||||
{
|
||||
'cmd' => 'show configuration',
|
||||
'fn' => 'get_config',
|
||||
'desc' => 'Get Device Config on Brocade Device'
|
||||
},
|
||||
]
|
||||
exec_commands.each do |ec|
|
||||
command = ec['cmd']
|
||||
cmd_out = session.shell_command(command).gsub(/#{command}|#{prompt}/,"")
|
||||
print_status("Gathering info from #{command}")
|
||||
# detect if we're in pagination and get as much data as possible
|
||||
if cmd_out.include?('--More--')
|
||||
cmd_out += session.shell_command(" \n"*20) #20 pages *should* be enough
|
||||
end
|
||||
if ec['fn'] == 'get_config'
|
||||
brocade_config_eater(host,port,cmd_out.strip)
|
||||
else
|
||||
cmd_loc = store_loot("brocade.#{ec['fn']}",
|
||||
"text/plain",
|
||||
session,
|
||||
cmd_out.strip,
|
||||
"#{ec['fn']}.txt",
|
||||
ec['desc'])
|
||||
vprint_good("Saving to #{cmd_loc}")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -0,0 +1,181 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'spec_helper'
|
||||
|
||||
require 'msf/core/auxiliary/brocade'
|
||||
|
||||
RSpec.describe Msf::Auxiliary::Brocade do
|
||||
class DummyClass
|
||||
include Msf::Auxiliary::Brocade
|
||||
def framework
|
||||
Msf::Simple::Framework.create(
|
||||
'ConfigDirectory' => Rails.root.join('spec', 'dummy', 'framework', 'config').to_s,
|
||||
# don't load any module paths so we can just load the module under test and save time
|
||||
'DeferModuleLoads' => true
|
||||
)
|
||||
end
|
||||
def active_db?
|
||||
true
|
||||
end
|
||||
def print_good(str=nil)
|
||||
raise StandardError.new("This method needs to be stubbed.")
|
||||
end
|
||||
def print_bad(str=nil)
|
||||
raise StandardError.new("This method needs to be stubbed.")
|
||||
end
|
||||
def store_cred(hsh=nil)
|
||||
raise StandardError.new("This method needs to be stubbed.")
|
||||
end
|
||||
def fullname
|
||||
"auxiliary/scanner/snmp/brocade_dummy"
|
||||
end
|
||||
def myworkspace
|
||||
raise StandardError.new("This method needs to be stubbed.")
|
||||
end
|
||||
end
|
||||
|
||||
subject(:aux_brocade) { DummyClass.new }
|
||||
|
||||
let!(:workspace) { FactoryBot.create(:mdm_workspace) }
|
||||
|
||||
context '#create_credential_and_login' do
|
||||
|
||||
let(:session) { FactoryBot.create(:mdm_session) }
|
||||
|
||||
let(:task) { FactoryBot.create(:mdm_task, workspace: workspace)}
|
||||
|
||||
let(:user) { FactoryBot.create(:mdm_user)}
|
||||
|
||||
subject(:test_object) { DummyClass.new }
|
||||
|
||||
let(:workspace) { FactoryBot.create(:mdm_workspace) }
|
||||
let(:service) { FactoryBot.create(:mdm_service, host: FactoryBot.create(:mdm_host, workspace: workspace)) }
|
||||
let(:task) { FactoryBot.create(:mdm_task, workspace: workspace) }
|
||||
|
||||
let(:login_data) {
|
||||
{
|
||||
address: service.host.address,
|
||||
port: service.port,
|
||||
service_name: service.name,
|
||||
protocol: service.proto,
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
module_fullname: 'auxiliary/scanner/smb/smb_login',
|
||||
realm_key: 'Active Directory Domain',
|
||||
realm_value: 'contosso',
|
||||
username: 'Username',
|
||||
private_data: 'password',
|
||||
private_type: :password,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
}
|
||||
|
||||
it 'creates a Metasploit::Credential::Login' do
|
||||
expect{test_object.create_credential_and_login(login_data)}.to change{Metasploit::Credential::Login.count}.by(1)
|
||||
end
|
||||
it "associates the Metasploit::Credential::Core with a task if passed" do
|
||||
login = test_object.create_credential_and_login(login_data.merge(task_id: task.id))
|
||||
expect(login.tasks).to include(task)
|
||||
end
|
||||
end
|
||||
|
||||
context '#brocade_config_eater' do
|
||||
before(:example) do
|
||||
expect(aux_brocade).to receive(:myworkspace).at_least(:once).and_return(workspace)
|
||||
end
|
||||
|
||||
it 'deals with enable passwords' do
|
||||
expect(aux_brocade).to receive(:print_good).with('enable password hash $1$QP3H93Wm$uxYAs2HmAK01QiP3ig5tm.')
|
||||
expect(aux_brocade).to receive(:print_bad).with('password-display is disabled, no password hashes displayed in config')
|
||||
expect(aux_brocade).to receive(:store_loot).with(
|
||||
"brocade.config", "text/plain", "127.0.0.1", "enable super-user-password 8 $1$QP3H93Wm$uxYAs2HmAK01QiP3ig5tm.", "config.txt", "Brocade Configuration"
|
||||
)
|
||||
expect(aux_brocade).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
port: 161,
|
||||
protocol: "tcp",
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: "auxiliary/scanner/snmp/brocade_dummy",
|
||||
username: 'enable',
|
||||
private_data: "$1$QP3H93Wm$uxYAs2HmAK01QiP3ig5tm.",
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_brocade.brocade_config_eater('127.0.0.1',161,'enable super-user-password 8 $1$QP3H93Wm$uxYAs2HmAK01QiP3ig5tm.')
|
||||
end
|
||||
|
||||
it 'deals with user passwords' do
|
||||
expect(aux_brocade).to receive(:print_good).with('User brocade of type 8 found with password hash $1$YBaHUWpr$PzeUrP0XmVOyVNM5rYy99/.')
|
||||
expect(aux_brocade).to receive(:print_bad).with('password-display is disabled, no password hashes displayed in config')
|
||||
expect(aux_brocade).to receive(:store_loot).with(
|
||||
"brocade.config", "text/plain", "127.0.0.1", "username brocade password 8 $1$YBaHUWpr$PzeUrP0XmVOyVNM5rYy99/", "config.txt", "Brocade Configuration"
|
||||
)
|
||||
expect(aux_brocade).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
port: 161,
|
||||
protocol: "tcp",
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: "auxiliary/scanner/snmp/brocade_dummy",
|
||||
username: 'brocade',
|
||||
private_data: "$1$YBaHUWpr$PzeUrP0XmVOyVNM5rYy99/",
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_brocade.brocade_config_eater('127.0.0.1',161,'username brocade password 8 $1$YBaHUWpr$PzeUrP0XmVOyVNM5rYy99/')
|
||||
end
|
||||
|
||||
it 'deals with snmp communities' do
|
||||
expect(aux_brocade).to receive(:print_good).with('ENCRYPTED SNMP community $Si2^=d with permissions rw')
|
||||
expect(aux_brocade).to receive(:print_bad).with('password-display is disabled, no password hashes displayed in config')
|
||||
expect(aux_brocade).to receive(:store_loot).with(
|
||||
"brocade.config", "text/plain", "127.0.0.1", "snmp-server community 1 $Si2^=d rw", "config.txt", "Brocade Configuration"
|
||||
)
|
||||
expect(aux_brocade).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: "127.0.0.1",
|
||||
port: 161,
|
||||
protocol: "udp",
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: 'snmp',
|
||||
module_fullname: "auxiliary/scanner/snmp/brocade_dummy",
|
||||
private_data: "$Si2^=d",
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_brocade.brocade_config_eater('127.0.0.1',161,'snmp-server community 1 $Si2^=d rw')
|
||||
end
|
||||
it 'deals with enable hidden passwords' do
|
||||
expect(aux_brocade).to receive(:print_bad).with('password-display is disabled, no password hashes displayed in config')
|
||||
expect(aux_brocade).to receive(:store_loot).with(
|
||||
"brocade.config", "text/plain", "127.0.0.1", "enable super-user-password 8 .....", "config.txt", "Brocade Configuration"
|
||||
)
|
||||
aux_brocade.brocade_config_eater('127.0.0.1',161,'enable super-user-password 8 .....')
|
||||
end
|
||||
|
||||
it 'deals with user hidden passwords' do
|
||||
expect(aux_brocade).to receive(:print_bad).with('password-display is disabled, no password hashes displayed in config')
|
||||
expect(aux_brocade).to receive(:store_loot).with(
|
||||
"brocade.config", "text/plain", "127.0.0.1", "username brocade password 8 .....", "config.txt", "Brocade Configuration"
|
||||
)
|
||||
aux_brocade.brocade_config_eater('127.0.0.1',161,'username brocade password 8 .....')
|
||||
end
|
||||
|
||||
it 'deals with snmp communities' do
|
||||
expect(aux_brocade).to receive(:print_bad).with('password-display is disabled, no password hashes displayed in config')
|
||||
expect(aux_brocade).to receive(:store_loot).with(
|
||||
"brocade.config", "text/plain", "127.0.0.1", "snmp-server community 1 ..... rw", "config.txt", "Brocade Configuration"
|
||||
)
|
||||
aux_brocade.brocade_config_eater('127.0.0.1',161,'snmp-server community 1 ..... rw')
|
||||
end
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue