From 4946fc297f77894b6887fe1da8a8dbca92182ea6 Mon Sep 17 00:00:00 2001 From: Dean Welch Date: Wed, 20 Mar 2024 12:14:49 +0000 Subject: [PATCH 1/3] Add user affordance for scanner modules that can create a new session --- .../auxiliary/scanner/mssql/mssql_login.rb | 20 ++++++++++++++++-- .../auxiliary/scanner/mysql/mysql_login.rb | 18 +++++++++++++++- .../scanner/postgres/postgres_login.rb | 21 ++++++++++++++++--- modules/auxiliary/scanner/smb/smb_login.rb | 20 ++++++++++++++++-- 4 files changed, 71 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/scanner/mssql/mssql_login.rb b/modules/auxiliary/scanner/mssql/mssql_login.rb index cea58465372e..dd1770fdee44 100644 --- a/modules/auxiliary/scanner/mssql/mssql_login.rb +++ b/modules/auxiliary/scanner/mssql/mssql_login.rb @@ -56,6 +56,19 @@ def create_session? end end + def run + results = super + logins = results.flat_map { |_k, v| v[:successful_logins] } + sessions = results.flat_map { |_k, v| v[:successful_sessions] } + print_status("Bruteforce completed, #{logins.size} credentials were successful.") + if datastore['CreateSession'] + print_status("#{sessions.size} MSSQL sessions were opened successfully.") + else + print_status('You can open an MSSQL session with these credentials and CreateSession set to true') + end + results + end + def run_host(ip) print_status("#{rhost}:#{rport} - MSSQL - Starting authentication scanner.") @@ -102,7 +115,8 @@ def run_host(ip) local_port: datastore['CPORT'], local_host: datastore['CHOST'] ) - + successful_logins = [] + successful_sessions = [] scanner.scan! do |result| credential_data = result.to_h credential_data.merge!( @@ -114,11 +128,12 @@ def run_host(ip) credential_data[:core] = credential_core create_credential_login(credential_data) print_good "#{ip}:#{rport} - Login Successful: #{result.credential}" + successful_logins << result if create_session? begin mssql_client = result.proof - session_setup(result, mssql_client) + successful_sessions << session_setup(result, mssql_client) rescue ::StandardError => e elog('Failed: ', error: e) print_error(e) @@ -130,6 +145,7 @@ def run_host(ip) vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})" end end + { successful_logins: successful_logins, successful_sessions: successful_sessions } end def session_setup(result, client) diff --git a/modules/auxiliary/scanner/mysql/mysql_login.rb b/modules/auxiliary/scanner/mysql/mysql_login.rb index 909f929ad9c7..18a6d3a7043d 100644 --- a/modules/auxiliary/scanner/mysql/mysql_login.rb +++ b/modules/auxiliary/scanner/mysql/mysql_login.rb @@ -60,6 +60,18 @@ def target [rhost,rport].join(":") end + def run + results = super + logins = results.flat_map { |_k, v| v[:successful_logins] } + sessions = results.flat_map { |_k, v| v[:successful_sessions] } + print_status("Bruteforce completed, #{logins.size} credentials were successful.") + if datastore['CreateSession'] + print_status("#{sessions.size} MySQL sessions were opened successfully.") + else + print_status('You can open an MySQL session with these credentials and CreateSession set to true') + end + results + end def run_host(ip) begin @@ -90,6 +102,8 @@ def run_host(ip) local_host: datastore['CHOST'] ) + successful_logins = [] + successful_sessions = [] scanner.scan! do |result| credential_data = result.to_h credential_data.merge!( @@ -102,11 +116,12 @@ def run_host(ip) create_credential_login(credential_data) print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'" + successful_logins << result if create_session? begin mysql_client = result.proof - session_setup(result, mysql_client) + successful_sessions << session_setup(result, mysql_client) rescue ::StandardError => e elog('Failed: ', error: e) print_error(e) @@ -125,6 +140,7 @@ def run_host(ip) rescue ::Rex::ConnectionError, ::EOFError => e vprint_error "#{target} - Unable to connect: #{e.to_s}" end + { successful_logins: successful_logins, successful_sessions: successful_sessions } end # Tmtm's rbmysql is only good for recent versions of mysql, according diff --git a/modules/auxiliary/scanner/postgres/postgres_login.rb b/modules/auxiliary/scanner/postgres/postgres_login.rb index 8c2d83de999b..ca0f75715e10 100644 --- a/modules/auxiliary/scanner/postgres/postgres_login.rb +++ b/modules/auxiliary/scanner/postgres/postgres_login.rb @@ -64,6 +64,19 @@ def create_session? end end + def run + results = super + logins = results.flat_map { |_k, v| v[:successful_logins] } + sessions = results.flat_map { |_k, v| v[:successful_sessions] } + print_status("Bruteforce completed, #{logins.size} credentials were successful.") + if datastore['CreateSession'] + print_status("#{sessions.size} Postgres sessions were opened successfully.") + else + print_status('You can open a Postgres session with these credentials and CreateSession set to true') + end + results + end + # Loops through each host in turn. Note the current IP address is both # ip and datastore['RHOST'] def run_host(ip) @@ -85,7 +98,8 @@ def run_host(ip) framework_module: self, use_client_as_proof: create_session? ) - + successful_logins = [] + successful_sessions = [] scanner.scan! do |result| credential_data = result.to_h credential_data.merge!( @@ -98,11 +112,12 @@ def run_host(ip) create_credential_login(credential_data) print_good "#{ip}:#{rport} - Login Successful: #{result.credential}" + successful_logins << result if create_session? begin postgresql_client = result.proof - session_setup(result, postgresql_client) + successful_sessions << session_setup(result, postgresql_client) rescue ::StandardError => e elog('Failed: ', error: e) print_error(e) @@ -114,7 +129,7 @@ def run_host(ip) vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})" end end - + { successful_logins: successful_logins, successful_sessions: successful_sessions } end # Alias for RHOST diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index 4a56974ef330..bb651e29144a 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -88,6 +88,19 @@ def create_session? end end + def run + results = super + logins = results.flat_map { |_k, v| v[:successful_logins] } + sessions = results.flat_map { |_k, v| v[:successful_sessions] } + print_status("Bruteforce completed, #{logins.size} credentials were successful.") + if datastore['CreateSession'] + print_status("#{sessions.size} SMB sessions were opened successfully.") + else + print_status('You can open an SMB session with these credentials and CreateSession set to true') + end + results + end + def run_host(ip) print_brute(level: :vstatus, ip: ip, msg: 'Starting SMB login bruteforce') @@ -156,7 +169,8 @@ def run_host(ip) cred_collection = prepend_db_hashes(cred_collection) @scanner.cred_details = cred_collection - + successful_logins = [] + successful_sessions = [] @scanner.scan! do |result| case result.status when Metasploit::Model::Login::Status::LOCKED_OUT @@ -173,11 +187,12 @@ def run_host(ip) :next_user when Metasploit::Model::Login::Status::SUCCESSFUL print_brute level: :good, ip: ip, msg: "Success: '#{result.credential}' #{result.access_level}" + successful_logins << result report_creds(ip, rport, result) if create_session? begin smb_client = result.proof - session_setup(result, smb_client) + successful_sessions << session_setup(result, smb_client) rescue StandardError => e elog('Failed to setup the session', error: e) print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}" @@ -217,6 +232,7 @@ def run_host(ip) ) end end + { successful_logins: successful_logins, successful_sessions: successful_sessions } end # This logic is not universal ie a local account will not care about workgroup From 686acb4c7ba684fe9fae8b10c53b450d4c74d2bb Mon Sep 17 00:00:00 2001 From: Dean Welch Date: Wed, 20 Mar 2024 15:06:20 +0000 Subject: [PATCH 2/3] Correctly format CreateSession option in output --- modules/auxiliary/scanner/mssql/mssql_login.rb | 2 +- modules/auxiliary/scanner/mysql/mysql_login.rb | 2 +- modules/auxiliary/scanner/postgres/postgres_login.rb | 2 +- modules/auxiliary/scanner/smb/smb_login.rb | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/scanner/mssql/mssql_login.rb b/modules/auxiliary/scanner/mssql/mssql_login.rb index dd1770fdee44..4da37b65120f 100644 --- a/modules/auxiliary/scanner/mssql/mssql_login.rb +++ b/modules/auxiliary/scanner/mssql/mssql_login.rb @@ -64,7 +64,7 @@ def run if datastore['CreateSession'] print_status("#{sessions.size} MSSQL sessions were opened successfully.") else - print_status('You can open an MSSQL session with these credentials and CreateSession set to true') + print_status('You can open an MSSQL session with these credentials and %grnCreateSession%clr set to true') end results end diff --git a/modules/auxiliary/scanner/mysql/mysql_login.rb b/modules/auxiliary/scanner/mysql/mysql_login.rb index 18a6d3a7043d..020577c04d0c 100644 --- a/modules/auxiliary/scanner/mysql/mysql_login.rb +++ b/modules/auxiliary/scanner/mysql/mysql_login.rb @@ -68,7 +68,7 @@ def run if datastore['CreateSession'] print_status("#{sessions.size} MySQL sessions were opened successfully.") else - print_status('You can open an MySQL session with these credentials and CreateSession set to true') + print_status('You can open an MySQL session with these credentials and %grnCreateSession%clr set to true') end results end diff --git a/modules/auxiliary/scanner/postgres/postgres_login.rb b/modules/auxiliary/scanner/postgres/postgres_login.rb index ca0f75715e10..fd6b8eb76f43 100644 --- a/modules/auxiliary/scanner/postgres/postgres_login.rb +++ b/modules/auxiliary/scanner/postgres/postgres_login.rb @@ -72,7 +72,7 @@ def run if datastore['CreateSession'] print_status("#{sessions.size} Postgres sessions were opened successfully.") else - print_status('You can open a Postgres session with these credentials and CreateSession set to true') + print_status('You can open a Postgres session with these credentials and %grnCreateSession%clr set to true') end results end diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index bb651e29144a..98e2296dfa99 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -96,7 +96,7 @@ def run if datastore['CreateSession'] print_status("#{sessions.size} SMB sessions were opened successfully.") else - print_status('You can open an SMB session with these credentials and CreateSession set to true') + print_status('You can open an SMB session with these credentials and %grnCreateSession%clr set to true') end results end From 7e3048d2f723ad6d55b68c67b23dfd0899ff2fd4 Mon Sep 17 00:00:00 2001 From: Dean Welch Date: Wed, 20 Mar 2024 15:45:07 +0000 Subject: [PATCH 3/3] Grammar --- modules/auxiliary/scanner/mssql/mssql_login.rb | 4 ++-- modules/auxiliary/scanner/mysql/mysql_login.rb | 4 ++-- modules/auxiliary/scanner/postgres/postgres_login.rb | 4 ++-- modules/auxiliary/scanner/smb/smb_login.rb | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/scanner/mssql/mssql_login.rb b/modules/auxiliary/scanner/mssql/mssql_login.rb index 4da37b65120f..bfaf205cd28e 100644 --- a/modules/auxiliary/scanner/mssql/mssql_login.rb +++ b/modules/auxiliary/scanner/mssql/mssql_login.rb @@ -60,9 +60,9 @@ def run results = super logins = results.flat_map { |_k, v| v[:successful_logins] } sessions = results.flat_map { |_k, v| v[:successful_sessions] } - print_status("Bruteforce completed, #{logins.size} credentials were successful.") + print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.") if datastore['CreateSession'] - print_status("#{sessions.size} MSSQL sessions were opened successfully.") + print_status("#{sessions.size} MSSQL #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.") else print_status('You can open an MSSQL session with these credentials and %grnCreateSession%clr set to true') end diff --git a/modules/auxiliary/scanner/mysql/mysql_login.rb b/modules/auxiliary/scanner/mysql/mysql_login.rb index 020577c04d0c..aeaaba020c78 100644 --- a/modules/auxiliary/scanner/mysql/mysql_login.rb +++ b/modules/auxiliary/scanner/mysql/mysql_login.rb @@ -64,9 +64,9 @@ def run results = super logins = results.flat_map { |_k, v| v[:successful_logins] } sessions = results.flat_map { |_k, v| v[:successful_sessions] } - print_status("Bruteforce completed, #{logins.size} credentials were successful.") + print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.") if datastore['CreateSession'] - print_status("#{sessions.size} MySQL sessions were opened successfully.") + print_status("#{sessions.size} MySQL #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.") else print_status('You can open an MySQL session with these credentials and %grnCreateSession%clr set to true') end diff --git a/modules/auxiliary/scanner/postgres/postgres_login.rb b/modules/auxiliary/scanner/postgres/postgres_login.rb index fd6b8eb76f43..ea240104dae1 100644 --- a/modules/auxiliary/scanner/postgres/postgres_login.rb +++ b/modules/auxiliary/scanner/postgres/postgres_login.rb @@ -68,9 +68,9 @@ def run results = super logins = results.flat_map { |_k, v| v[:successful_logins] } sessions = results.flat_map { |_k, v| v[:successful_sessions] } - print_status("Bruteforce completed, #{logins.size} credentials were successful.") + print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.") if datastore['CreateSession'] - print_status("#{sessions.size} Postgres sessions were opened successfully.") + print_status("#{sessions.size} Postgres #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.") else print_status('You can open a Postgres session with these credentials and %grnCreateSession%clr set to true') end diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index 98e2296dfa99..effac65894df 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -92,9 +92,9 @@ def run results = super logins = results.flat_map { |_k, v| v[:successful_logins] } sessions = results.flat_map { |_k, v| v[:successful_sessions] } - print_status("Bruteforce completed, #{logins.size} credentials were successful.") + print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.") if datastore['CreateSession'] - print_status("#{sessions.size} SMB sessions were opened successfully.") + print_status("#{sessions.size} SMB #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.") else print_status('You can open an SMB session with these credentials and %grnCreateSession%clr set to true') end