forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'cred_checker' of https://github.com/m-1-k-3/metasploit-…
…framework into m-1-k-3-cred_checker
- Loading branch information
Showing
3 changed files
with
1,029 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,262 @@ | ||
# auto-cred-checker.rc | ||
# Author: m-1-k-3 (Web: http://www.s3cur1ty.de / Twitter: @s3cur1ty_de) | ||
|
||
# This Metasploit RC-File could be used to automatically check already discovered credentials against some other login services | ||
# it uses allready discovered credential from the database and tries to use them against some other services | ||
|
||
<ruby> | ||
if (framework.datastore['VERBOSE'] == "true") #we look in the global datastore for a global VERBOSE option and use it | ||
verbose = 1 #true | ||
else | ||
verbose = 0 | ||
end | ||
|
||
def jobwaiting(verbose) | ||
maxjobs=15 #throtteling if we get too much jobs | ||
while(framework.jobs.keys.length >= maxjobs) | ||
::IO.select(nil, nil, nil, 2.5) | ||
if (verbose == 1) | ||
print_error("waiting for finishing some modules... active jobs: #{framework.jobs.keys.length} / threads: #{framework.threads.length}") | ||
end | ||
end | ||
end | ||
|
||
def infos(serv,creds,host) | ||
print_line("") | ||
print_line("====================================") | ||
print_line("IP: #{host.address}") | ||
print_line("OS: #{host.os_name}") | ||
print_line("Servicename: #{serv.name}") | ||
print_line("Service Port: #{serv.port.to_i}") | ||
print_line("Service Protocol: #{serv.proto}") | ||
print_line("User: #{creds.user}") | ||
print_line("Pass: #{creds.pass}") | ||
print_line("====================================") | ||
print_line("") | ||
end | ||
|
||
framework.db.creds.each do |creds| | ||
next if ( creds.ptype == "smb_hash" ) # ... we do not check windows hashes ... have a look at auto_pass_the_hash.rc | ||
|
||
password = creds.pass | ||
username = creds.user | ||
|
||
framework.db.hosts.each do |host| | ||
host.services.each do |serv| | ||
next if not serv.host | ||
next if (serv.state != ServiceState::Open) | ||
next if not (serv.name =~ /smb/ or serv.name =~ /microsoft-ds/ or serv.name =~ /netbios-ssn/ or serv.name =~ /ftp/ or serv.name =~ /ssh/ or serv.name =~ /telnet/ or serv.name =~ /mysql/ or serv.name =~ /vnc/ or serv.name =~ /mssql/ or serv.name =~ /pop3/ or serv.name =~ /postgres/) # for now we only check these services, you can add some more ... | ||
|
||
xport = serv.port.to_i | ||
xprot = serv.proto | ||
xname = serv.name | ||
xhost = host.address | ||
|
||
|
||
if(xname =~ /smb/ or xname =~ /microsoft-ds/ or xname =~ /netbios-ssn/) | ||
print_line("smb_login") | ||
if(verbose == 1) | ||
infos(serv,creds,host) | ||
end | ||
run_single("use auxiliary/scanner/smb/smb_login") | ||
run_single("set RHOSTS #{xhost}") | ||
run_single("set RPORT #{xport}") | ||
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this | ||
run_single("set SMBUser #{username}") | ||
run_single("set SMBPass #{password}") | ||
if(verbose == 1) | ||
run_single("set VERBOSE true") | ||
run_single("run -j") | ||
else | ||
run_single("run -j -q") | ||
end | ||
jobwaiting(verbose) | ||
run_single("back") | ||
elsif (xname =~ /ftp/) | ||
print_line("ftp_login") | ||
if(verbose == 1) | ||
infos(serv,creds,host) | ||
end | ||
run_single("use auxiliary/scanner/ftp/ftp_login") | ||
run_single("set RHOSTS #{xhost}") | ||
run_single("set RPORT #{xport}") | ||
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USERNAME #{username}") | ||
run_single("set PASSWORD #{password}") | ||
if(verbose == 1) | ||
run_single("set VERBOSE true") | ||
run_single("run -j") | ||
else | ||
run_single("run -j -q") | ||
end | ||
jobwaiting(verbose) | ||
run_single("back") | ||
elsif(xname =~ /ssh/) | ||
print_line("ssh_login") | ||
if(verbose == 1) | ||
infos(serv,creds,host) | ||
end | ||
run_single("use auxiliary/scanner/ssh/ssh_login") | ||
run_single("set RHOSTS #{xhost}") | ||
run_single("set RPORT #{xport}") | ||
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USERNAME #{username}") | ||
run_single("set PASSWORD #{password}") | ||
if(verbose == 1) | ||
run_single("set VERBOSE true") | ||
run_single("run -j") | ||
else | ||
run_single("run -j -q") | ||
end | ||
jobwaiting(verbose) | ||
run_single("back") | ||
elsif(xname =~ /telnet/) | ||
print_line("telnet_login") | ||
if(verbose == 1) | ||
infos(serv,creds,host) | ||
end | ||
run_single("use auxiliary/scanner/telnet/telnet_login") | ||
run_single("set RHOSTS #{xhost}") | ||
run_single("set RPORT #{xport}") | ||
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USERNAME #{username}") | ||
run_single("set PASSWORD #{password}") | ||
if(verbose == 1) | ||
run_single("set VERBOSE true") | ||
run_single("run -j") | ||
else | ||
run_single("run -j -q") | ||
end | ||
jobwaiting(verbose) | ||
run_single("back") | ||
elsif(xname =~ /mysql/) | ||
print_line("mysql_login") | ||
if(verbose == 1) | ||
infos(serv,creds,host) | ||
end | ||
run_single("use auxiliary/scanner/mysql/mysql_login") | ||
run_single("set RHOSTS #{xhost}") | ||
run_single("set RPORT #{xport}") | ||
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USERNAME #{username}") | ||
run_single("set PASSWORD #{password}") | ||
if(verbose == 1) | ||
run_single("set VERBOSE true") | ||
run_single("run -j") | ||
else | ||
run_single("run -j -q") | ||
end | ||
jobwaiting(verbose) | ||
run_single("back") | ||
elsif(xname =~ /vnc/) | ||
print_line("vnc_login") | ||
if(verbose == 1) | ||
infos(serv,creds,host) | ||
end | ||
run_single("use auxiliary/scanner/vnc/vnc_login") | ||
run_single("set RHOSTS #{xhost}") | ||
run_single("set RPORT #{xport}") | ||
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USERNAME #{username}") | ||
run_single("set PASSWORD #{password}") | ||
if(verbose == 1) | ||
run_single("set VERBOSE true") | ||
run_single("run -j") | ||
else | ||
run_single("run -j -q") | ||
end | ||
jobwaiting(verbose) | ||
run_single("back") | ||
elsif(xname =~ /mssql/) | ||
print_line("mssql_login") | ||
if(verbose == 1) | ||
infos(serv,creds,host) | ||
end | ||
run_single("use auxiliary/scanner/mssql/mssql_login") | ||
run_single("set RHOSTS #{xhost}") | ||
run_single("set RPORT #{xport}") | ||
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USERNAME #{username}") | ||
run_single("set PASSWORD #{password}") | ||
if(verbose == 1) | ||
run_single("set VERBOSE true") | ||
run_single("run -j") | ||
else | ||
run_single("run -j -q") | ||
end | ||
jobwaiting(verbose) | ||
run_single("back") | ||
elsif(xname =~ /pop3/) | ||
print_line("pop3_login") | ||
if(verbose == 1) | ||
infos(serv,creds,host) | ||
end | ||
run_single("use auxiliary/scanner/pop3/pop3_login") | ||
run_single("set RHOSTS #{xhost}") | ||
run_single("set RPORT #{xport}") | ||
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USERNAME #{username}") | ||
run_single("set PASSWORD #{password}") | ||
if(verbose == 1) | ||
run_single("set VERBOSE true") | ||
run_single("run -j") | ||
else | ||
run_single("run -j -q") | ||
end | ||
jobwaiting(verbose) | ||
run_single("back") | ||
elsif (xname =~ /postgres/) | ||
print_line("postgres_login") | ||
if(verbose == 1) | ||
infos(serv,creds,host) | ||
end | ||
run_single("use auxiliary/scanner/postgres/postgres_login") | ||
run_single("set RHOSTS #{xhost}") | ||
run_single("set RPORT #{xport}") | ||
run_single("unset USER_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("unset PASS_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("unset USERPASS_FILE") # to check just the credentials of the db we have to disable this | ||
run_single("set BLANK_PASSWORDS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USER_AS_PASS false") # to check just the credentials of the db we have to disable this | ||
run_single("set USERNAME #{username}") | ||
run_single("set PASSWORD #{password}") | ||
#if ( template != nil ) # todo | ||
# run_single("set DATABASE #{template}") | ||
#end | ||
if(verbose == 1) | ||
run_single("set VERBOSE true") | ||
run_single("run -j") | ||
else | ||
run_single("run -j -q") | ||
end | ||
jobwaiting(verbose) | ||
run_single("back") | ||
end | ||
end | ||
end | ||
end | ||
</ruby> |
Oops, something went wrong.