enhance user data parsing

2020-09-12 10:07:23 -04:00 · 2020-09-12 10:07:23 -04:00 · daa10ea735
parent 537be9054d
commit daa10ea735
4 changed files with 41 additions and 17 deletions
--- a/documentation/modules/post/networking/gather/enum_f5.md
+++ b/documentation/modules/post/networking/gather/enum_f5.md
@ -65,7 +65,9 @@ resource (f5_ssh.rb)> run
 [+] Saving to /home/h00die/.msf4/loot/20200820143944_default_2.2.2.2_F5.show_net_045166.txt
 [*] Gathering info from show running-config
 [+] Saving to /home/h00die/.msf4/loot/20200820143949_default_2.2.2.2_F5.show_running__097351.txt
-[+] 2.2.2.2:22 Username 'admin' and hash $6$4FAWSZLi$VeSaxPM2/D1JOhMRN/GMkt5wHcbIVKaIC2g765ZD0VA9ZEEm8iyK40/ncGrZIGyJyJF4ivkScNZ59HWAIKMML/
+[+] 2.2.2.2:22 Username 'admin' with description 'Admin User' and shell tmsh with hash $6$PQvaMmyS$Bn5.2qIin7rC34tHUQ1Vu6fEeuDzQZqc25TSiDsmbB903RENBisWbTN9Mqh7g2x26VUbxdzwUzzmL7fB4T2iy1
+[+] 2.2.2.2:22 Username 'superlegit' with description 'a user account' and shell tmsh with hash $6$FTQz2reX$U0o37QjQYdg42dwCcLa.1H85hVTriQtxhlMoIM0cs4DFyW5s26kbrEgZG5Mfaxi9fgFfHrvDBGad7ikXnEZIP0
+[+] 2.2.2.2:22 Username 't' with description 't' and shell none with hash $6$iajXIq2B$ezy4hVW9A.5eN1xG4JZWFbY4bFaq7uUKwO9gDVLxvgzigsX4gquLW1NoSaZP9CtN0NnrbGV4QvtkA.esLJOg50
 [+] 2.2.2.2:22 SNMP Community 'public' with RO access
 [+] 2.2.2.2:22 SNMP Community 'rocommunity' with RO access
 [+] 2.2.2.2:22 SNMP Community 'rwcommunity' with RW access
--- a/lib/msf/core/auxiliary/f5.rb
+++ b/lib/msf/core/auxiliary/f5.rb
@ -5,13 +5,13 @@ require 'metasploit/framework/hashes/identify'
 module Msf
  ###
  #
-  # This module provides methods for working with Arista equipment
+  # This module provides methods for working with F5 equipment
  #
  ###
  module Auxiliary::F5
    include Msf::Auxiliary::Report

-    def f5_config_eater(thost, tport, config)
+    def f5_config_eater(thost, tport, config, store = true)

      credential_data = {
        address: thost,
@ -32,7 +32,9 @@ module Msf
        credential_data[:protocol] = 'udp'
      end

-      store_loot('f5.config', 'text/plain', thost, config.strip, 'config.txt', 'F5 Configuration')
+      if store
+        store_loot('f5.config', 'text/plain', thost, config.strip, 'config.txt', 'F5 Configuration')
+      end

      host_info = {
        host: thost,
@ -54,15 +56,17 @@ module Msf
      #    shell none
      # }

-      config.scan(%r{^auth user (.+) \{.+encrypted-password ([$\w/\+]+)}mi).each do |result|
+      config.scan(%r{auth user ([^ ]+) {\s*description "?([^\n"]+)"?\n\s*encrypted-password ([$\w\+\./]+)\n[\w\s\-{}]+\s+shell (tmsh|bash|none)\n}}mi).each do |result|
        username = result[0].strip
-        hash = result[1].strip
+        description = result[1].strip
+        hash = result[2].strip
+        shell = result[3].strip
        cred = credential_data.dup
        cred[:username] = username
        cred[:jtr_format] = identify_hash(hash)
        cred[:private_data] = hash
        create_credential_and_login(cred)
-        print_good("#{thost}:#{tport} Username '#{username}' and hash #{hash}")
+        print_good("#{thost}:#{tport} Username '#{username}' with description '#{description}' and shell #{shell} with hash #{hash}")
      end

      # generated by: tmsh list sys snmp communities
@ -123,12 +127,12 @@ module Msf
      # }

      if /^cm device (?<content>.+)}$/m =~ config
-        if /hostname (?<hostname>[\w\.]+)$/ =~ content
+        if /hostname (?<hostname>[\w\.-]+)$/i =~ content
          print_good("#{thost}:#{tport} Hostname: #{hostname}")
          host_info[:name] = hostname
          report_host(host_info)
        end
-        if /base-mac (?<mac>[\d:a-f]+)$/ =~ content
+        if /base-mac (?<mac>[\d:a-f]+)$/i =~ content
          print_good("#{thost}:#{tport} MAC Address: #{mac}")
          host_info[:mac] = mac
          report_host(host_info)
@ -136,12 +140,12 @@ module Msf
        if /management-ip (?<ip>[\d\.]+)$/ =~ content
          print_good("#{thost}:#{tport} Management IP: #{ip}")
        end
-        if /product (?<product>[\w-]+)$/ =~ content
+        if /product (?<product>[\w-]+)$/i =~ content
          print_good("#{thost}:#{tport} Product #{product}")
          host_info[:os_name] = "F5 #{product}"
          report_host(host_info)
        end
-        if /version (?<version>[\d\.]+)$/ =~ content
+        if /version (?<version>[\d\.]+)$/i =~ content
          print_good("#{thost}:#{tport} OS Version: #{version}")
          host_info[:os_flavor] = version
          report_host(host_info)
--- a/modules/post/networking/gather/enum_f5.rb
+++ b/modules/post/networking/gather/enum_f5.rb
@ -25,11 +25,14 @@ class MetasploitModule < Msf::Post

  def run
    # Get device prompt
-    prompt = session.shell_command('')
-    unless prompt.include? '(tmos)'
+    prompt = session.shell_command('?')
+    started_tmos = false
+    unless prompt.include? 'Commands:'
+      started_tmos = true
      print_status('Moving to TMOS prompt')
      session.shell_command('tmsh')
    end
+    prompt = session.shell_command('')

    # Get version info
    system_out = session.shell_command('show /sys version')
@ -59,7 +62,11 @@ class MetasploitModule < Msf::Post
    # run additional information gathering

    enum_tmos_configs(prompt)
-    session.shell_command('quit') # exit tmos
+    if started_tmos
+      session.shell_command('quit') # exit tmos
+    else
+      session.shell_command('bash') # go to bash from tmos
+    end
    enum_configs(prompt)
  end

@ -107,6 +114,13 @@ class MetasploitModule < Msf::Post
      if cmd_out.include?('---(less')
        cmd_out += session.shell_command(" \n" * 20) # 20 pages should be enough
      end
+
+      # loop to ensure we get all content within the 5 sec window
+      loop do
+        break unless out_tmp = session.shell_read
+        cmd_out << out_tmp
+      end
+
      print_status("Gathering info from #{command}")
      cmd_loc = store_loot("F5.#{ec['fn']}",
                           'text/plain',
@ -115,7 +129,7 @@ class MetasploitModule < Msf::Post
                           "#{ec['fn']}.txt",
                           ec['desc'])
      vprint_good("Saving to #{cmd_loc}")
-      f5_config_eater(host, port, cmd_out.strip)
+      f5_config_eater(host, port, cmd_out.strip, store=false)
    end
  end

@ -168,6 +182,10 @@ class MetasploitModule < Msf::Post
      command = ec['cmd']
      cmd_out = session.shell_command(command).gsub(/#{command}|#{prompt}/, '')
      print_status("Gathering info from #{command}")
+      if cmd_out.include?('No such file or directory') || cmd_out.strip == ''
+        print_error('File not found or empty')
+        next
+      end
      cmd_loc = store_loot("F5.#{ec['fn']}",
                           'text/plain',
                           session,
@ -175,7 +193,7 @@ class MetasploitModule < Msf::Post
                           "#{ec['fn']}.txt",
                           ec['desc'])
      vprint_good("Saving to #{cmd_loc}")
-      f5_config_eater(host, port, cmd_out.strip)
+      f5_config_eater(host, port, cmd_out.strip, store=false)
    end
  end
 end
--- a/spec/lib/msf/core/auxiliary/f5_spec.rb
+++ b/spec/lib/msf/core/auxiliary/f5_spec.rb
@ -101,7 +101,7 @@ RSpec.describe Msf::Auxiliary::F5 do
      data << "   }\n"
      data << "   shell none\n"
      data << '}'
-      expect(aux_f5).to receive(:print_good).with("127.0.0.1:161 Username 'admin' and hash $6$4FAWSZLi$VeSaxPM2/D1JOhMRN/GMkt5wHcbIVKaIC2g765ZD0VA9ZEEm8iyK40/ncGrZIGyJyJF4ivkScNZ59HWAIKMML/")
+      expect(aux_f5).to receive(:print_good).with("127.0.0.1:161 Username 'admin' with description 'Admin User' and shell none with hash $6$4FAWSZLi$VeSaxPM2/D1JOhMRN/GMkt5wHcbIVKaIC2g765ZD0VA9ZEEm8iyK40/ncGrZIGyJyJF4ivkScNZ59HWAIKMML/")
      expect(aux_f5).to receive(:store_loot).with(
        'f5.config', 'text/plain', '127.0.0.1', data, 'config.txt', 'F5 Configuration'
      )