handle md5 and plaintext passwords
This commit is contained in:
parent
43fabcad53
commit
14e0ebe7f6
|
@ -1,5 +1,7 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'metasploit/framework/hashes/identify'
|
||||
|
||||
module Msf
|
||||
###
|
||||
#
|
||||
|
@ -18,7 +20,7 @@ module Msf
|
|||
workspace_id: myworkspace.id,
|
||||
origin_type: :service,
|
||||
private_type: :nonreplayable_hash,
|
||||
jtr_format: 'sha512crypt', # default on the devices
|
||||
jtr_format: 'sha512,crypt', # default on the devices
|
||||
service_name: '',
|
||||
module_fullname: fullname,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
|
@ -90,27 +92,51 @@ module Msf
|
|||
create_credential_and_login(cred)
|
||||
# https://www.arista.com/en/um-eos/eos-section-4-7-aaa-commands#ww1349963
|
||||
# username admin privilege 15 role network-admin secret sha512 $6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61
|
||||
when /^\s*username ([^\s]+) privilege (\d+) role (.+) secret (.+) ([^\s]+)/i
|
||||
# username bob privilege 15 secret 5 $1$EGQJlod0$CdkMmW1FoiRgMfbLFD/kB/
|
||||
when /^\s*username ([^\s]+) privilege (\d+) (?:role (.+) )?secret (.+) ([^\s]+)/i
|
||||
name = Regexp.last_match(1).to_s
|
||||
privilege = Regexp.last_match(2).to_s
|
||||
role = Regexp.last_match(3).to_s
|
||||
# secret = $4.to_s
|
||||
# for secret, 0=plaintext, 5=md5sum, sha512=sha512
|
||||
secret = Regexp.last_match(4).to_s
|
||||
hash = Regexp.last_match(5).to_s
|
||||
print_good("#{thost}:#{tport} Username '#{name}' with privilege #{privilege}, Role #{role}, and Hash: #{hash}")
|
||||
output = "#{thost}:#{tport} Username '#{name}' with privilege #{privilege},"
|
||||
unless role.empty?
|
||||
output << " Role #{role},"
|
||||
end
|
||||
cred = credential_data.dup
|
||||
if secret == '0'
|
||||
output << " and Password: #{hash}"
|
||||
cred[:private_type] = :password
|
||||
cred[:jtr_format] = ''
|
||||
else
|
||||
output << " and Hash: #{hash}"
|
||||
cred[:jtr_format] = identify_hash(hash)
|
||||
end
|
||||
cred[:username] = name
|
||||
cred[:private_data] = hash
|
||||
create_credential_and_login(cred)
|
||||
print_good(output)
|
||||
# aaa root secret sha512 $6$Rnanb2dQsVy2H3QL$DEYDZMy6j6KK4XK62Uh.3U3WXxK5XJvn8Zd5sm36T7BVKHS5EmIcQV.EN1X1P1ZO099S0lkxpvEGzA9yK5PQF.
|
||||
when /^\s*aaa (root) secret (.+) ([^\s]+)/i
|
||||
name = Regexp.last_match(1).to_s
|
||||
# algorithm = $2.to_s
|
||||
# for secret, 0=plaintext, 5=md5sum, sha512=sha512
|
||||
secret = Regexp.last_match(2).to_s
|
||||
hash = Regexp.last_match(3).to_s
|
||||
print_good("#{thost}:#{tport} AAA Username '#{name}' with Hash: #{hash}")
|
||||
output = "#{thost}:#{tport} AAA Username '#{name}'"
|
||||
cred = credential_data.dup
|
||||
cred[:username] = name.to_s
|
||||
if secret == '0'
|
||||
output << " and Password: #{hash}"
|
||||
cred[:private_type] = :password
|
||||
cred[:jtr_format] = ''
|
||||
else
|
||||
output << " with Hash: #{hash}"
|
||||
cred[:jtr_format] = identify_hash(hash)
|
||||
end
|
||||
cred[:private_data] = hash.to_s
|
||||
create_credential_and_login(cred)
|
||||
print_good(output)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -120,7 +120,7 @@ RSpec.describe Msf::Auxiliary::Arista do
|
|||
service_name: '',
|
||||
module_fullname: 'auxiliary/scanner/snmp/arista_dummy',
|
||||
username: 'enable',
|
||||
jtr_format: 'sha512crypt',
|
||||
jtr_format: 'sha512,crypt',
|
||||
private_data: '$6$jemN09cUdoLRim6i$Mvl2Fog/VZ7ktxyLSVDR1KnTTTPSMHU3WD.G/kxwgODdsc3d7S1aSNJX/DJmQI3nyrYnEw4lsmoKPGClFJ9hH1',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
|
@ -144,7 +144,7 @@ RSpec.describe Msf::Auxiliary::Arista do
|
|||
service_name: '',
|
||||
module_fullname: 'auxiliary/scanner/snmp/arista_dummy',
|
||||
username: 'root',
|
||||
jtr_format: 'sha512crypt',
|
||||
jtr_format: 'sha512,crypt',
|
||||
private_data: '$6$Rnanb2dQsVy2H3QL$DEYDZMy6j6KK4XK62Uh.3U3WXxK5XJvn8Zd5sm36T7BVKHS5EmIcQV.EN1X1P1ZO099S0lkxpvEGzA9yK5PQF.',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
|
@ -152,8 +152,13 @@ RSpec.describe Msf::Auxiliary::Arista do
|
|||
)
|
||||
aux_arista.arista_eos_config_eater('127.0.0.1', 161, 'aaa root secret sha512 $6$Rnanb2dQsVy2H3QL$DEYDZMy6j6KK4XK62Uh.3U3WXxK5XJvn8Zd5sm36T7BVKHS5EmIcQV.EN1X1P1ZO099S0lkxpvEGzA9yK5PQF.')
|
||||
end
|
||||
end
|
||||
|
||||
it 'deals with user passwords' do
|
||||
context 'deals with user details' do
|
||||
before(:example) do
|
||||
expect(aux_arista).to receive(:myworkspace).at_least(:once).and_return(workspace)
|
||||
end
|
||||
it 'deals with roles and sha512 passwords' do
|
||||
expect(aux_arista).to receive(:print_good).with("127.0.0.1:161 Username 'admin' with privilege 15, Role network-admin, and Hash: $6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61")
|
||||
expect(aux_arista).to receive(:store_loot).with(
|
||||
'arista.eos.config', 'text/plain', '127.0.0.1', 'username admin privilege 15 role network-admin secret sha512 $6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61', 'config.txt', 'Arista EOS Configuration'
|
||||
|
@ -168,7 +173,7 @@ RSpec.describe Msf::Auxiliary::Arista do
|
|||
service_name: '',
|
||||
module_fullname: 'auxiliary/scanner/snmp/arista_dummy',
|
||||
username: 'admin',
|
||||
jtr_format: 'sha512crypt',
|
||||
jtr_format: 'sha512,crypt',
|
||||
private_data: '$6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
|
@ -176,6 +181,54 @@ RSpec.describe Msf::Auxiliary::Arista do
|
|||
)
|
||||
aux_arista.arista_eos_config_eater('127.0.0.1', 161, 'username admin privilege 15 role network-admin secret sha512 $6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61')
|
||||
end
|
||||
|
||||
it 'deals with no roles and md5 passwords' do
|
||||
expect(aux_arista).to receive(:print_good).with("127.0.0.1:161 Username 'bob' with privilege 15, and Hash: $1$EGQJlod0$CdkMmW1FoiRgMfbLFD/kB/")
|
||||
expect(aux_arista).to receive(:store_loot).with(
|
||||
'arista.eos.config', 'text/plain', '127.0.0.1', 'username bob privilege 15 secret 5 $1$EGQJlod0$CdkMmW1FoiRgMfbLFD/kB/', 'config.txt', 'Arista EOS Configuration'
|
||||
)
|
||||
expect(aux_arista).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: '127.0.0.1',
|
||||
port: 161,
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: 'auxiliary/scanner/snmp/arista_dummy',
|
||||
username: 'bob',
|
||||
jtr_format: 'md5',
|
||||
private_data: '$1$EGQJlod0$CdkMmW1FoiRgMfbLFD/kB/',
|
||||
private_type: :nonreplayable_hash,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_arista.arista_eos_config_eater('127.0.0.1', 161, 'username bob privilege 15 secret 5 $1$EGQJlod0$CdkMmW1FoiRgMfbLFD/kB/')
|
||||
end
|
||||
|
||||
it 'deals with no roles and plaintext passwords' do
|
||||
expect(aux_arista).to receive(:print_good).with("127.0.0.1:161 Username 'un' with privilege 15, and Password: test")
|
||||
expect(aux_arista).to receive(:store_loot).with(
|
||||
'arista.eos.config', 'text/plain', '127.0.0.1', 'username un privilege 15 secret 0 test', 'config.txt', 'Arista EOS Configuration'
|
||||
)
|
||||
expect(aux_arista).to receive(:create_credential_and_login).with(
|
||||
{
|
||||
address: '127.0.0.1',
|
||||
port: 161,
|
||||
protocol: 'udp',
|
||||
workspace_id: workspace.id,
|
||||
origin_type: :service,
|
||||
service_name: '',
|
||||
module_fullname: 'auxiliary/scanner/snmp/arista_dummy',
|
||||
username: 'un',
|
||||
jtr_format: '',
|
||||
private_data: 'test',
|
||||
private_type: :password,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
)
|
||||
aux_arista.arista_eos_config_eater('127.0.0.1', 161, 'username un privilege 15 secret 0 test')
|
||||
end
|
||||
end
|
||||
|
||||
context 'deals with SNMP details' do
|
||||
|
|
Loading…
Reference in New Issue