From a58f7f05580f55bcf319b59c5bbceacbf8e37071 Mon Sep 17 00:00:00 2001 From: Gaurav Jain Date: Sat, 16 Dec 2023 23:40:30 +0530 Subject: [PATCH] Minor fixes to modules to use report_cred --- data/exploits/psnuffle/ftp.rb | 32 ++------------- data/exploits/psnuffle/imap.rb | 35 +++------------- data/exploits/psnuffle/pop3.rb | 40 ++++--------------- data/exploits/psnuffle/smb.rb | 31 ++------------ data/exploits/psnuffle/url.rb | 32 ++------------- .../admin/scada/modicon_password_recovery.rb | 12 +++--- .../scanner/lotus/lotus_domino_hashes.rb | 4 +- modules/auxiliary/sniffer/psnuffle.rb | 35 +++++++++++++++- 8 files changed, 67 insertions(+), 154 deletions(-) diff --git a/data/exploits/psnuffle/ftp.rb b/data/exploits/psnuffle/ftp.rb index f64de7e08146..269a44c5699c 100755 --- a/data/exploits/psnuffle/ftp.rb +++ b/data/exploits/psnuffle/ftp.rb @@ -42,10 +42,11 @@ def parse(pkt) if(s[:user] and s[:pass]) report_cred( :ip => s[:host], - :port => 21, + :port => s[:port], :service_name => s[:sname], :user => s[:user], :password => s[:pass], + :type => :password, :proof => "Response code 5 from server", :status => Metasploit::Model::Login::Status::INCORRECT ) @@ -59,10 +60,11 @@ def parse(pkt) if(s[:user] and s[:pass]) report_cred( :ip => s[:host], - :port => 21, + :port => s[:port], :service_name => s[:sname], :user => s[:user], :password => s[:pass], + :type => :password, :proof => "Response code 230 from server", :status => Metasploit::Model::Login::Status::SUCCESSFUL ) @@ -90,31 +92,5 @@ def parse(pkt) end # end of each_key end # end of parse - - def report_cred(opts) - service_data = { - address: opts[:ip], - port: opts[:port], - service_name: opts[:service_name], - protocol: 'tcp', - workspace_id: myworkspace_id - } - - credential_data = { - origin_type: :service, - module_fullname: fullname, - username: opts[:user], - private_data: opts[:password], - private_type: :password - }.merge(service_data) - - login_data = { - core: create_credential(credential_data), - status: opts[:status], - proof: opts[:proof] - }.merge(service_data) - - create_credential_login(login_data) - end end diff --git a/data/exploits/psnuffle/imap.rb b/data/exploits/psnuffle/imap.rb index 8ba96b7a681a..e345165f6546 100755 --- a/data/exploits/psnuffle/imap.rb +++ b/data/exploits/psnuffle/imap.rb @@ -46,10 +46,11 @@ def parse(pkt) report_cred( :ip => s[:host], - :port => 143, + :port => s[:port], :service_name => s[:sname], :user => s[:user], :password => s[:pass], + :type => :password, :proof => "Capability OK reponse from server", :status => Metasploit::Model::Login::Status::SUCCESSFUL ) @@ -62,10 +63,11 @@ def parse(pkt) report_cred( :ip => s[:host], - :port => 143, + :port => s[:port], :service_name => s[:sname], :user => s[:user], :password => s[:pass], + :type => :password, :proof => "Capability NO response from server", :status => Metasploit::Model::Login::Status::INCORRECT ) @@ -77,10 +79,11 @@ def parse(pkt) when :login_bad report_cred( :ip => s[:host], - :port => 143, + :port => s[:port], :service_name => s[:sname], :user => s[:user], :password => s[:pass], + :type => :password, :proof => "Capability BAD response from server", :status => Metasploit::Model::Login::Status::INCORRECT ) @@ -100,31 +103,5 @@ def parse(pkt) end # end case matched end # end of each_key end # end of parse - - def report_cred(opts) - service_data = { - address: opts[:ip], - port: opts[:port], - service_name: opts[:service_name], - protocol: 'tcp', - workspace_id: myworkspace_id - } - - credential_data = { - origin_type: :service, - module_fullname: fullname, - username: opts[:user], - private_data: opts[:password], - private_type: :password - }.merge(service_data) - - login_data = { - core: create_credential(credential_data), - status: opts[:status], - proof: opts[:proof] - }.merge(service_data) - - create_credential_login(login_data) - end end diff --git a/data/exploits/psnuffle/pop3.rb b/data/exploits/psnuffle/pop3.rb index 491605b752ea..60032ba88036 100755 --- a/data/exploits/psnuffle/pop3.rb +++ b/data/exploits/psnuffle/pop3.rb @@ -54,11 +54,12 @@ def parse(pkt) s[:extra] = "Successful Login. Banner: #{s[:banner]}" report_cred( :ip => s[:host], - :port => 110, - :service_name => s[:sname], + :port => s[:port], + :service_name => s[:name], :user => s[:user], :password => s[:pass], - :proof => "OK response after PASS response from server", + :type => :password, + :proof => s[:extra], :status => Metasploit::Model::Login::Status::SUCCESSFUL ) print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") @@ -82,11 +83,12 @@ def parse(pkt) s[:extra]="Failed Login. Banner: #{s[:banner]}" report_cred( :ip => s[:host], - :port => 110, - :service_name => s[:sname], + :port => s[:port], + :service_name => s[:proto], :user => s[:user], :password => s[:pass], - :proof => "ERR response after PASS response from server", + :type => :password, + :proof => s[:extra], :status => Metasploit::Model::Login::Status::INCORRECT ) print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") @@ -100,31 +102,5 @@ def parse(pkt) end # end case matched end # end of each_key end # end of parse - - def report_cred(opts) - service_data = { - address: opts[:ip], - port: opts[:port], - service_name: opts[:service_name], - protocol: 'tcp', - workspace_id: myworkspace_id - } - - credential_data = { - origin_type: :service, - module_fullname: fullname, - username: opts[:user], - private_data: opts[:password], - private_type: :password - }.merge(service_data) - - login_data = { - core: create_credential(credential_data), - status: opts[:status], - proof: opts[:proof] - }.merge(service_data) - - create_credential_login(login_data) - end end diff --git a/data/exploits/psnuffle/smb.rb b/data/exploits/psnuffle/smb.rb index e15410751954..a55bd9919f07 100755 --- a/data/exploits/psnuffle/smb.rb +++ b/data/exploits/psnuffle/smb.rb @@ -172,12 +172,14 @@ def parse_sessionsetup(pkt, s) # DB reporting report_cred( :ip => dst_ip, - :port => 445, + :port => s[:port], :service_name => 'smb', :user => s[:user], :password => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge], + :type => :nonreplayable_hash, :jtr_format => smb_db_type_hash, :proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}", + :status => Metasploit::Model::Login::Status::SUCCESSFUL ) report_note( @@ -206,31 +208,4 @@ def parse_sessionsetup(pkt, s) end end end - - def report_cred(opts) - service_data = { - address: opts[:ip], - port: opts[:port], - service_name: opts[:service_name], - protocol: 'tcp', - workspace_id: myworkspace_id - } - - credential_data = { - origin_type: :service, - module_fullname: fullname, - username: opts[:user], - private_data: opts[:password], - private_type: :nonreplayable_hash, - jtr_format: opts[:jtr_format] - }.merge(service_data) - - login_data = { - core: create_credential(credential_data), - status: Metasploit::Model::Login::Status::UNTRIED, - proof: opts[:proof] - }.merge(service_data) - - create_credential_login(login_data) - end end diff --git a/data/exploits/psnuffle/url.rb b/data/exploits/psnuffle/url.rb index 78185e001e54..4bf62824c219 100755 --- a/data/exploits/psnuffle/url.rb +++ b/data/exploits/psnuffle/url.rb @@ -46,11 +46,13 @@ def parse(pkt) s[:user], s[:pass] = Rex::Text.decode_base64(s[:basic_auth]).split(':', 2) report_cred( :ip => s[:host], - :port => 80, - :service_name => s[:sname], + :port => s[:port], + :service_name => 'http', :user => s[:user], :password => s[:pass], + :type => :password, :proof => "Session: #{s[:session]} Basic Auth: #{s[:basic_auth]}", + :status => Metasploit::Model::Login::Status::UNTRIED ) print_status "HTTP Basic Authentication: #{s[:session]} >> #{s[:user]} / #{s[:pass]}" end @@ -59,30 +61,4 @@ def parse(pkt) end # end case matched end # end of each_key end # end of parse - - def report_cred(opts) - service_data = { - address: opts[:ip], - port: opts[:port], - service_name: opts[:service_name], - protocol: 'tcp', - workspace_id: myworkspace_id - } - - credential_data = { - origin_type: :service, - module_fullname: fullname, - username: opts[:user], - private_data: opts[:password], - private_type: :password - }.merge(service_data) - - login_data = { - core: create_credential(credential_data), - status: Metasploit::Model::Login::Status::UNTRIED, - proof: opts[:proof] - }.merge(service_data) - - create_credential_login(login_data) - end end # end of URL sniffer diff --git a/modules/auxiliary/admin/scada/modicon_password_recovery.rb b/modules/auxiliary/admin/scada/modicon_password_recovery.rb index 5b9331b17d93..2df69a9f1198 100644 --- a/modules/auxiliary/admin/scada/modicon_password_recovery.rb +++ b/modules/auxiliary/admin/scada/modicon_password_recovery.rb @@ -185,12 +185,12 @@ def grab logins << ["http", httpuser, httppass] report_cred( - :ip => ip, - :port => 80, - :service_name => 'http', - :user => httpuser, - :password => httppass, - :proof => proof + ip: ip, + port: rport, + service_name: 'http', + user: httpuser, + password: httppass, + proof: proof ) logins << ["scada-write", "", writecreds[1]] diff --git a/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb b/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb index ada6c8a3625e..c000c1848876 100644 --- a/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb +++ b/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb @@ -190,6 +190,8 @@ def dump_hashes(view_id, cookie, uri) def report_cred(opts) + service_data = service_details.merge({workspace_id: myworkspace_id}) + credential_data = { origin_type: :service, module_fullname: fullname, @@ -197,7 +199,7 @@ def report_cred(opts) private_data: opts[:password], private_type: :nonreplayable_hash, jtr_format: 'dominosec' - }.merge(service_details) + }.merge(service_data) login_data = { core: create_credential(credential_data), diff --git a/modules/auxiliary/sniffer/psnuffle.rb b/modules/auxiliary/sniffer/psnuffle.rb index 0d578601cf10..21f2ec8e4d06 100644 --- a/modules/auxiliary/sniffer/psnuffle.rb +++ b/modules/auxiliary/sniffer/psnuffle.rb @@ -102,6 +102,7 @@ def run # Basic class for taking care of sessions class BaseProtocolParser + include Msf::Auxiliary::Report attr_accessor :framework, :module, :sessions, :dport, :sigs @@ -132,8 +133,38 @@ def print_error(msg) self.module.print_error(msg) end - def report_auth_info(*s) - self.module.report_auth_info(*s) + def report_cred(opts) + service_data = { + address: opts[:ip], + port: opts[:port], + service_name: opts[:service_name], + protocol: 'tcp', + workspace_id: self.module.myworkspace_id + } + + credential_data = { + origin_type: :service, + module_fullname: self.module.fullname, + username: opts[:user], + private_data: opts[:password], + private_type: opts[:type] + }.merge(service_data) + + if opts[:type] == :nonreplayable_hash + credential_data.merge!(jtr_format: opts[:jtr_format]) + end + + login_data = { + core: create_credential(credential_data), + status: opts[:status], + proof: opts[:proof] + }.merge(service_data) + + unless opts[:status] == Metasploit::Model::Login::Status::UNTRIED + login_data.merge!(last_attempted_at: DateTime.now) + end + + create_credential_login(login_data) end def report_note(*s)