More fixups for ssh_login_pubkey and special handlers for long strings of keys.
git-svn-id: file:///home/svn/framework3/trunk@13156 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
4c80d9a427
commit
dc84ee6aab
|
@ -363,7 +363,12 @@ module Auxiliary::AuthBrute
|
|||
begin
|
||||
creds = []
|
||||
obj = get_object_from_memory_location(memloc)
|
||||
obj.all_creds.each do |cred|
|
||||
unless obj.all_creds.empty?
|
||||
these_creds = obj.all_creds
|
||||
else
|
||||
these_creds = obj.builders.select {|x| x.respond_to? :imported_users}.map {|b| b.imported_users}.flatten
|
||||
end
|
||||
these_creds.each do |cred|
|
||||
user,pass = cred.split(/\s+/,2).map {|x| x.strip}
|
||||
creds << [Rex::Text.dehex(user.to_s), Rex::Text.dehex(pass.to_s)]
|
||||
end
|
||||
|
|
|
@ -13,7 +13,7 @@ class Cred < ActiveRecord::Base
|
|||
return false if other.proof.empty?
|
||||
return false unless self.proof
|
||||
return false if self.proof.empty?
|
||||
key_id_regex = /KEY=[0-9a-fA-F:]+/
|
||||
key_id_regex = /[0-9a-fA-F:]+/
|
||||
my_key_id = self.proof[key_id_regex].to_s.downcase
|
||||
other_key_id = other.proof[key_id_regex].to_s.downcase
|
||||
my_key_id == other_key_id
|
||||
|
|
|
@ -74,6 +74,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
datastore['RPORT']
|
||||
end
|
||||
|
||||
def ip
|
||||
datastore['RHOST']
|
||||
end
|
||||
|
||||
def read_keyfile(file)
|
||||
if file == :keyfile_b64
|
||||
keyfile = datastore['SSH_KEYFILE_B64'].unpack("m*").first
|
||||
|
@ -112,7 +116,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# Needs a beginning
|
||||
next unless key =~ /^-----BEGIN [RD]SA PRIVATE KEY-----\x0d?\x0a/m
|
||||
# Needs an end
|
||||
next unless key =~ /\n-----END [RD]SA PRIVATE KEY-----\x0d?\x0a$/m
|
||||
next unless key =~ /\n-----END [RD]SA PRIVATE KEY-----\x0d?\x0a?$/m
|
||||
# Shouldn't have binary.
|
||||
next unless key.scan(/[\x00-\x08\x0b\x0c\x0e-\x1f\x80-\xff]/).empty?
|
||||
# Add more tests to taste.
|
||||
|
@ -237,6 +241,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def do_report(ip,user,port,proof)
|
||||
store_keyfile_b64_loot(ip,user,self.good_key)
|
||||
report_auth_info(
|
||||
:host => ip,
|
||||
:port => datastore['RPORT'],
|
||||
|
@ -249,6 +254,23 @@ class Metasploit3 < Msf::Auxiliary
|
|||
)
|
||||
end
|
||||
|
||||
# Sometimes all we have is a SSH_KEYFILE_B64 string. If it's
|
||||
# good, then store it as loot for this user@host, unless we
|
||||
# already have it in loot.
|
||||
def store_keyfile_b64_loot(ip,user,key_id)
|
||||
return unless db
|
||||
return if @keyfile_path
|
||||
return if datastore["SSH_KEYFILE_B64"].to_s.empty?
|
||||
keyfile = datastore['SSH_KEYFILE_B64'].unpack("m*").first
|
||||
keyfile = keyfile.strip + "\n"
|
||||
ktype_match = keyfile.match(/--BEGIN ([DR]SA) PRIVATE/)
|
||||
return unless ktype_match
|
||||
ktype = ktype_match[1].downcase
|
||||
ltype = "host.unix.ssh.#{user}_#{ktype}_private"
|
||||
return if Msf::DBManager::Loot.find_by_ltype_and_workspace_id(ltype,myworkspace.id)
|
||||
@keyfile_path = store_loot(ltype, "application/octet-stream", ip, keyfile.strip, nil, key_id)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
print_status("#{ip}:#{rport} - SSH - Testing Cleartext Keys")
|
||||
# Since SSH collects keys and tries them all on one authentication session, it doesn't
|
||||
|
|
Loading…
Reference in New Issue