More fixups for ssh_login_pubkey and special handlers for long strings of keys.

git-svn-id: file:///home/svn/framework3/trunk@13156 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-12 20:58:25 +00:00 · 2011-07-12 20:58:25 +00:00 · dc84ee6aab
parent 4c80d9a427
commit dc84ee6aab
3 changed files with 30 additions and 3 deletions
--- a/lib/msf/core/auxiliary/auth_brute.rb
+++ b/lib/msf/core/auxiliary/auth_brute.rb
@ -363,7 +363,12 @@ module Auxiliary::AuthBrute
 		begin
 			creds = []
 			obj = get_object_from_memory_location(memloc)
-			obj.all_creds.each do |cred|
+			unless obj.all_creds.empty?
+				these_creds = obj.all_creds
+			else
+				these_creds = obj.builders.select {|x| x.respond_to? :imported_users}.map {|b| b.imported_users}.flatten
+			end
+			these_creds.each do |cred|
 				user,pass = cred.split(/\s+/,2).map {|x| x.strip}
 				creds << [Rex::Text.dehex(user.to_s), Rex::Text.dehex(pass.to_s)]
 			end
--- a/lib/msf/core/model/cred.rb
+++ b/lib/msf/core/model/cred.rb
@ -13,7 +13,7 @@ class Cred < ActiveRecord::Base
 		return false if other.proof.empty?
 		return false unless self.proof
 		return false if self.proof.empty?
-		key_id_regex = /KEY=[0-9a-fA-F:]+/
+		key_id_regex = /[0-9a-fA-F:]+/
 		my_key_id = self.proof[key_id_regex].to_s.downcase 
 		other_key_id = other.proof[key_id_regex].to_s.downcase
 		my_key_id == other_key_id
--- a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
@ -74,6 +74,10 @@ class Metasploit3 < Msf::Auxiliary
 		datastore['RPORT']
 	end

+	def ip
+		datastore['RHOST']
+	end
+
 	def read_keyfile(file)
 		if file == :keyfile_b64
 			keyfile = datastore['SSH_KEYFILE_B64'].unpack("m*").first
@ -112,7 +116,7 @@ class Metasploit3 < Msf::Auxiliary
 			# Needs a beginning
 			next unless key =~ /^-----BEGIN [RD]SA PRIVATE KEY-----\x0d?\x0a/m
 			# Needs an end
-			next unless key =~ /\n-----END [RD]SA PRIVATE KEY-----\x0d?\x0a$/m
+			next unless key =~ /\n-----END [RD]SA PRIVATE KEY-----\x0d?\x0a?$/m
 			# Shouldn't have binary.
 			next unless key.scan(/[\x00-\x08\x0b\x0c\x0e-\x1f\x80-\xff]/).empty?
 			# Add more tests to taste.
@ -237,6 +241,7 @@ class Metasploit3 < Msf::Auxiliary
 	end

 	def do_report(ip,user,port,proof)
+		store_keyfile_b64_loot(ip,user,self.good_key)
 		report_auth_info(
 			:host => ip,
 			:port => datastore['RPORT'],
@ -249,6 +254,23 @@ class Metasploit3 < Msf::Auxiliary
 		)
 	end

+	# Sometimes all we have is a SSH_KEYFILE_B64 string. If it's 
+	# good, then store it as loot for this user@host, unless we
+	# already have it in loot.
+	def store_keyfile_b64_loot(ip,user,key_id)
+		return unless db 
+		return if @keyfile_path
+		return if datastore["SSH_KEYFILE_B64"].to_s.empty?
+		keyfile = datastore['SSH_KEYFILE_B64'].unpack("m*").first
+		keyfile = keyfile.strip + "\n"
+		ktype_match = keyfile.match(/--BEGIN ([DR]SA) PRIVATE/)
+		return unless ktype_match
+		ktype = ktype_match[1].downcase
+		ltype = "host.unix.ssh.#{user}_#{ktype}_private"
+		return if Msf::DBManager::Loot.find_by_ltype_and_workspace_id(ltype,myworkspace.id)
+		@keyfile_path = store_loot(ltype, "application/octet-stream", ip, keyfile.strip, nil, key_id)
+	end
+
 	def run_host(ip)
 		print_status("#{ip}:#{rport} - SSH - Testing Cleartext Keys")
 		# Since SSH collects keys and tries them all on one authentication session, it doesn't