dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

handle md5 and plaintext passwords

This commit is contained in:
h00die 2020-07-20 21:08:18 -04:00 committed by Shelby Pace
parent 43fabcad53
commit 14e0ebe7f6
2 changed files with 89 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
lib/msf/core/auxiliary/arista.rb
View File

@ -1,5 +1,7 @@
# -*- coding: binary -*-
require 'metasploit/framework/hashes/identify'
module Msf
###
#
@ -18,7 +20,7 @@ module Msf
workspace_id: myworkspace.id,
origin_type: :service,
private_type: :nonreplayable_hash,
jtr_format: 'sha512crypt', # default on the devices
jtr_format: 'sha512,crypt', # default on the devices
service_name: '',
module_fullname: fullname,
status: Metasploit::Model::Login::Status::UNTRIED
@ -90,27 +92,51 @@ module Msf
create_credential_and_login(cred)
# https://www.arista.com/en/um-eos/eos-section-4-7-aaa-commands#ww1349963
# username admin privilege 15 role network-admin secret sha512 $6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61
when /^\s*username ([^\s]+) privilege (\d+) role (.+) secret (.+) ([^\s]+)/i
# username bob privilege 15 secret 5 $1$EGQJlod0$CdkMmW1FoiRgMfbLFD/kB/
when /^\s*username ([^\s]+) privilege (\d+) (?:role (.+) )?secret (.+) ([^\s]+)/i
name = Regexp.last_match(1).to_s
privilege = Regexp.last_match(2).to_s
role = Regexp.last_match(3).to_s
# secret = $4.to_s
# for secret, 0=plaintext, 5=md5sum, sha512=sha512
secret = Regexp.last_match(4).to_s
hash = Regexp.last_match(5).to_s
print_good("#{thost}:#{tport} Username '#{name}' with privilege #{privilege}, Role #{role}, and Hash: #{hash}")
output = "#{thost}:#{tport} Username '#{name}' with privilege #{privilege},"
unless role.empty?
output << " Role #{role},"
end
cred = credential_data.dup
if secret == '0'
output << " and Password: #{hash}"
cred[:private_type] = :password
cred[:jtr_format] = ''
else
output << " and Hash: #{hash}"
cred[:jtr_format] = identify_hash(hash)
end
cred[:username] = name
cred[:private_data] = hash
create_credential_and_login(cred)
print_good(output)
# aaa root secret sha512 $6$Rnanb2dQsVy2H3QL$DEYDZMy6j6KK4XK62Uh.3U3WXxK5XJvn8Zd5sm36T7BVKHS5EmIcQV.EN1X1P1ZO099S0lkxpvEGzA9yK5PQF.
when /^\s*aaa (root) secret (.+) ([^\s]+)/i
name = Regexp.last_match(1).to_s
# algorithm = $2.to_s
# for secret, 0=plaintext, 5=md5sum, sha512=sha512
secret = Regexp.last_match(2).to_s
hash = Regexp.last_match(3).to_s
print_good("#{thost}:#{tport} AAA Username '#{name}' with Hash: #{hash}")
output = "#{thost}:#{tport} AAA Username '#{name}'"
cred = credential_data.dup
cred[:username] = name.to_s
if secret == '0'
output << " and Password: #{hash}"
cred[:private_type] = :password
cred[:jtr_format] = ''
else
output << " with Hash: #{hash}"
cred[:jtr_format] = identify_hash(hash)
end
cred[:private_data] = hash.to_s
create_credential_and_login(cred)
print_good(output)
end
end
end

61
spec/lib/msf/core/auxiliary/arista_spec.rb
View File

@ -120,7 +120,7 @@ RSpec.describe Msf::Auxiliary::Arista do
service_name: '',
module_fullname: 'auxiliary/scanner/snmp/arista_dummy',
username: 'enable',
jtr_format: 'sha512crypt',
jtr_format: 'sha512,crypt',
private_data: '$6$jemN09cUdoLRim6i$Mvl2Fog/VZ7ktxyLSVDR1KnTTTPSMHU3WD.G/kxwgODdsc3d7S1aSNJX/DJmQI3nyrYnEw4lsmoKPGClFJ9hH1',
private_type: :nonreplayable_hash,
status: Metasploit::Model::Login::Status::UNTRIED
@ -144,7 +144,7 @@ RSpec.describe Msf::Auxiliary::Arista do
service_name: '',
module_fullname: 'auxiliary/scanner/snmp/arista_dummy',
username: 'root',
jtr_format: 'sha512crypt',
jtr_format: 'sha512,crypt',
private_data: '$6$Rnanb2dQsVy2H3QL$DEYDZMy6j6KK4XK62Uh.3U3WXxK5XJvn8Zd5sm36T7BVKHS5EmIcQV.EN1X1P1ZO099S0lkxpvEGzA9yK5PQF.',
private_type: :nonreplayable_hash,
status: Metasploit::Model::Login::Status::UNTRIED
@ -152,8 +152,13 @@ RSpec.describe Msf::Auxiliary::Arista do
)
aux_arista.arista_eos_config_eater('127.0.0.1', 161, 'aaa root secret sha512 $6$Rnanb2dQsVy2H3QL$DEYDZMy6j6KK4XK62Uh.3U3WXxK5XJvn8Zd5sm36T7BVKHS5EmIcQV.EN1X1P1ZO099S0lkxpvEGzA9yK5PQF.')
end
end
it 'deals with user passwords' do
context 'deals with user details' do
before(:example) do
expect(aux_arista).to receive(:myworkspace).at_least(:once).and_return(workspace)
end
it 'deals with roles and sha512 passwords' do
expect(aux_arista).to receive(:print_good).with("127.0.0.1:161 Username 'admin' with privilege 15, Role network-admin, and Hash: $6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61")
expect(aux_arista).to receive(:store_loot).with(
'arista.eos.config', 'text/plain', '127.0.0.1', 'username admin privilege 15 role network-admin secret sha512 $6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61', 'config.txt', 'Arista EOS Configuration'
@ -168,7 +173,7 @@ RSpec.describe Msf::Auxiliary::Arista do
service_name: '',
module_fullname: 'auxiliary/scanner/snmp/arista_dummy',
username: 'admin',
jtr_format: 'sha512crypt',
jtr_format: 'sha512,crypt',
private_data: '$6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61',
private_type: :nonreplayable_hash,
status: Metasploit::Model::Login::Status::UNTRIED
@ -176,6 +181,54 @@ RSpec.describe Msf::Auxiliary::Arista do
)
aux_arista.arista_eos_config_eater('127.0.0.1', 161, 'username admin privilege 15 role network-admin secret sha512 $6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61')
end
it 'deals with no roles and md5 passwords' do
expect(aux_arista).to receive(:print_good).with("127.0.0.1:161 Username 'bob' with privilege 15, and Hash: $1$EGQJlod0$CdkMmW1FoiRgMfbLFD/kB/")
expect(aux_arista).to receive(:store_loot).with(
'arista.eos.config', 'text/plain', '127.0.0.1', 'username bob privilege 15 secret 5 $1$EGQJlod0$CdkMmW1FoiRgMfbLFD/kB/', 'config.txt', 'Arista EOS Configuration'
)
expect(aux_arista).to receive(:create_credential_and_login).with(
{
address: '127.0.0.1',
port: 161,
protocol: 'udp',
workspace_id: workspace.id,
origin_type: :service,
service_name: '',
module_fullname: 'auxiliary/scanner/snmp/arista_dummy',
username: 'bob',
jtr_format: 'md5',
private_data: '$1$EGQJlod0$CdkMmW1FoiRgMfbLFD/kB/',
private_type: :nonreplayable_hash,
status: Metasploit::Model::Login::Status::UNTRIED
}
)
aux_arista.arista_eos_config_eater('127.0.0.1', 161, 'username bob privilege 15 secret 5 $1$EGQJlod0$CdkMmW1FoiRgMfbLFD/kB/')
end
it 'deals with no roles and plaintext passwords' do
expect(aux_arista).to receive(:print_good).with("127.0.0.1:161 Username 'un' with privilege 15, and Password: test")
expect(aux_arista).to receive(:store_loot).with(
'arista.eos.config', 'text/plain', '127.0.0.1', 'username un privilege 15 secret 0 test', 'config.txt', 'Arista EOS Configuration'
)
expect(aux_arista).to receive(:create_credential_and_login).with(
{
address: '127.0.0.1',
port: 161,
protocol: 'udp',
workspace_id: workspace.id,
origin_type: :service,
service_name: '',
module_fullname: 'auxiliary/scanner/snmp/arista_dummy',
username: 'un',
jtr_format: '',
private_data: 'test',
private_type: :password,
status: Metasploit::Model::Login::Status::UNTRIED
}
)
aux_arista.arista_eos_config_eater('127.0.0.1', 161, 'username un privilege 15 secret 0 test')
end
end
context 'deals with SNMP details' do