Metasploit Aux script to guess password against RPC interface #1070

Merged
merged 8 commits into from Nov 26, 2012

Projects

None yet

5 participants

@kost

Metasploit Aux script to guess password against RPC interface

@brandonprry

Hmm, not sure if we bundle msgpack or not... I am sure we do, I can't imagine you need to rely on the external gem...

[bperry@w00den-pickle brandonprry_msf]$ ./msfconsole
[-] WARNING! The following modules could not be loaded!
[-] /home/bperry/Projects/brandonprry_msf/modules/auxiliary/scanner/msf/msf_rpc_login.rb: LoadError cannot load such file -- msgpack

Might be wrong, sinn3r or egypt may have better ideas.

EDIT: Duh, running from git. Never mind.

@bperry-r7

Hmm, doesn't seem to be working for me...

msf auxiliary(msf_rpc_login) > run

[] 192.168.1.45:55553 MSF_RPC - [1/2] - Metasploit RPC - - Trying username:'admin' with password:'admin'
[
] 192.168.1.45:55553 MSF_RPC - [1/2] - Metasploit RPC - true - Bad login
[] 192.168.1.45:55553 MSF_RPC - [2/2] - Metasploit RPC - - Trying username:'admin' with password:'P@ssw0rd!'
[
] 192.168.1.45:55553 MSF_RPC - [2/2] - Metasploit RPC - true - Bad login
[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed
msf auxiliary(msf_rpc_login) >

P@ssw0rd! is definitely admin's password.

I think you can also disable user_as_pass by default since metasploit's password criteria requires username not match password. This is a nice speedup for the user. WIll do some more testing to see if I can figure it out, but so far not sure what is up...

@brandonprry

Ok, the port was wrong. I was testing against a Pro instance, which is on port 3790.

msf auxiliary(msf_rpc_login) > run

[] 192.168.1.45:3790 MSF_RPC - [1/2] - Metasploit RPC - - Trying username:'admin' with password:'admin'
[
] 192.168.1.45:3790 MSF_RPC - [1/2] - Metasploit RPC - true - Bad login
[] 192.168.1.45:3790 MSF_RPC - [2/2] - Metasploit RPC - - Trying username:'admin' with password:'P@ssw0rd!'
[+] 192.168.1.45:3790 Metasploit RPC - SUCCESSFUL LOGIN. 'admin' : 'P@ssw0rd!'
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(msf_rpc_login) >

@kost

Great it works for you. Regarding external modules (msgpack). I think you should have it since msfrpc/msfrpcd needs it as well.

@jlee-r7

I kinda love this.

@jlee-r7 jlee-r7 commented on the diff Nov 20, 2012
modules/auxiliary/scanner/msf/msf_rpc_login.rb
+ def initialize
+ super(
+ 'Name' => 'Metasploit RPC interface Login Utility',
+ 'Description' => 'This module simply attempts to login to a Metasploit RPC interface using a specific user/pass.',
+ 'Author' => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
+ 'License' => MSF_LICENSE
+ )
+
+ register_options(
+ [
+ Opt::RPORT(55553),
+ OptString.new('USERNAME', [true, "A specific username to authenticate as. Default is msf", "msf"]),
+ OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]),
+ OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true])
+ ], self.class)
+
@jlee-r7
jlee-r7 Nov 20, 2012

Should also register_autofilter_ports(3790), which as @bperry-r7 pointed out is the default for Pro.

@kost
kost Nov 24, 2012

Thanks - fixed!

@jlee-r7 jlee-r7 and 1 other commented on an outdated diff Nov 20, 2012
modules/auxiliary/scanner/msf/msf_rpc_login.rb
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/rpc/v10/client'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::AuthBrute
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'Metasploit RPC interface Login Utility',
+ 'Description' => 'This module simply attempts to login to a Metasploit RPC interface using a specific user/pass.',
@jlee-r7
jlee-r7 Nov 20, 2012

Wrap at 80 cols, please

@kost
kost Nov 24, 2012

Thanks - fixed!

@kost

Le t me know if there's anything else left to fix.

@kost

BTW just finished guesser for Pro instance on web port (3790). thanks for idea ;)

@brandonprry

Cool, I will test it out here in a bit.

@brandonprry

Cool

msf > use auxiliary/scanner/msf/msf_web_login
msf auxiliary(msf_web_login) > set RHOSTS 192.168.1.45
RHOSTS => 192.168.1.45
msf auxiliary(msf_web_login) > set USERNAME admin
USERNAME => admin
msf auxiliary(msf_web_login) > set PASSWORD "P@ssw0rd!"
PASSWORD => P@ssw0rd!
msf auxiliary(msf_web_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf auxiliary(msf_web_login) > run

[] 192.168.1.45:3790 MSF_WEB - [1/2] - Metasploit Web - - Trying username:'admin' with password:'admin'
[-] 192.168.1.45:3790 MSF_WEB - [1/2] - Metasploit Web - FAILED LOGIN. 'admin' : 'admin' with wrong redirect
[
] 192.168.1.45:3790 MSF_WEB - [2/2] - Metasploit Web - - Trying username:'admin' with password:'P@ssw0rd!'
[+] 192.168.1.45:3790 Metasploit Web - SUCCESSFUL LOGIN. 'admin' : 'P@ssw0rd!'
[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed
msf auxiliary(msf_web_login) >

One small thing

[bperry@w00den-pickle brandonprry_msf]$ tools/msftidy.rb modules/auxiliary/scanner/msf/msf_*
msf_rpc_login.rb:25 - [WARNING] Spaces at EOL
[bperry@w00den-pickle brandonprry_msf]$

@brandonprry

sinn3r or egypt, I think this is ready to merge. Haven't tested 1.8 though...

@wchen-r7

I notice the output is actually repeating "MSF_WEB - [2/2] - Metasploit Web"... which is kinda weird. I'll just remove that. The rest look ok to me.

@wchen-r7 wchen-r7 merged commit c22335a into rapid7:master Nov 26, 2012

1 check passed

Details default The Travis build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment