OpenVAS Aux scripts to guess password against OTP/OMP/WWW interfaces #1072

Merged
merged 7 commits into from Nov 24, 2012

Conversation

Projects
None yet
4 participants
@kost
Contributor

kost commented Nov 15, 2012

OpenVAS Aux scripts to guess password against OTP/OMP/WWW interfaces

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Nov 15, 2012

Contributor

This is cool, this will work great with the remote code exec vuln just found.

Contributor

brandonprry commented Nov 15, 2012

This is cool, this will work great with the remote code exec vuln just found.

+ return
+ end
+
+ each_user_pass { |user, pass|

This comment has been minimized.

@brandonprry

brandonprry Nov 15, 2012

Contributor

do / end blocks are preferred over curly braces.

@brandonprry

brandonprry Nov 15, 2012

Contributor

do / end blocks are preferred over curly braces.

This comment has been minimized.

@kost

kost Nov 16, 2012

Contributor

fixed. As well as in other modules.

@kost

kost Nov 16, 2012

Contributor

fixed. As well as in other modules.

+ def do_login(user='openvas', pass='openvas')
+ vprint_status("#{msg} - Trying username:'#{user}' with password:'#{pass}'")
+ headers = {}
+ data = 'cmd=' << datastore['OMP_cmd'] << '&text=' << datastore['OMP_text'] << '&login=' << user << '&password=' << pass

This comment has been minimized.

@brandonprry

brandonprry Nov 15, 2012

Contributor

So, I am curious why you implemented it to use GSA instead of OMP. OMP is more likely to be running than GSA. OMP should be faster as well, is tcp/xml and not http. Just a thought, willing to be wrong too.

@brandonprry

brandonprry Nov 15, 2012

Contributor

So, I am curious why you implemented it to use GSA instead of OMP. OMP is more likely to be running than GSA. OMP should be faster as well, is tcp/xml and not http. Just a thought, willing to be wrong too.

This comment has been minimized.

@brandonprry

brandonprry Nov 15, 2012

Contributor

Good point, missed the modules below :)

@brandonprry

brandonprry Nov 15, 2012

Contributor

Good point, missed the modules below :)

This comment has been minimized.

@jlee-r7

jlee-r7 Nov 20, 2012

Contributor

Interpolation is a better way to deal with this kind of idiom.

  data = "cmd=#{datastore['OMP_cmd']}&text=#{datastore['OMP_text']}&login=#{user}&password=#{pass}"

Better still would be to take advantage of the library code that builds query strings for you. See wchen-r7's comment below about using 'vars_post'

@jlee-r7

jlee-r7 Nov 20, 2012

Contributor

Interpolation is a better way to deal with this kind of idiom.

  data = "cmd=#{datastore['OMP_cmd']}&text=#{datastore['OMP_text']}&login=#{user}&password=#{pass}"

Better still would be to take advantage of the library code that builds query strings for you. See wchen-r7's comment below about using 'vars_post'

@kost

This comment has been minimized.

Show comment
Hide comment
@kost

kost Nov 15, 2012

Contributor

Have any public references?

BTW There are standalone guessers for quite some time now: https://github.com/kost/vulnscan-pwcrack

Contributor

kost commented Nov 15, 2012

Have any public references?

BTW There are standalone guessers for quite some time now: https://github.com/kost/vulnscan-pwcrack

@kost

This comment has been minimized.

Show comment
Hide comment
@kost

kost Nov 15, 2012

Contributor

I have implemented OMP, GSA and OTP - no preference over each of the protocol.

OAP is only missing. Will implement OAP in future.

Contributor

kost commented Nov 15, 2012

I have implemented OMP, GSA and OTP - no preference over each of the protocol.

OAP is only missing. Will implement OAP in future.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Nov 16, 2012

Contributor

So far so good on both the gsad and omp bruteforcers. However, if I am not using a DB, I have no easy way of knowing which creds worked on which hosts in the end. If I am using many threads (I used up to 50) and scanning a /24, It is very difficult to see the real results. With a db is fine, you just type creds, but a small printout at the end with successful attempts would be useful if no db is connected.

msf auxiliary(openvas_omp_login) > run

[] 192.168.1.42:9390 OpenVAS OMP - Connecting and checking username and passwords
[
] 192.168.1.42:9390 OPENVAS_OMP - [1/2] - OpenVAS OMP - Trying user:'admin' with password:'admin'
[-] 192.168.1.42:9390 OPENVAS_OMP - [1/2] - OpenVAS OMP - Rejected user: 'admin' with password: 'admin': <authenticate_response status="400" status_text="Authentication failed"/><omp_response status="400" status_text="First command must be AUTHENTICATE, COMMANDS or GET_VERSION"/>
[] 192.168.1.42:9390 OPENVAS_OMP - [2/2] - OpenVAS OMP - Trying user:'admin' with password:'password'
[+] 192.168.1.42:9390 OpenVAS OMP - SUCCESSFUL login for 'admin' : 'password'
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(openvas_omp_login) >

Contributor

brandonprry commented Nov 16, 2012

So far so good on both the gsad and omp bruteforcers. However, if I am not using a DB, I have no easy way of knowing which creds worked on which hosts in the end. If I am using many threads (I used up to 50) and scanning a /24, It is very difficult to see the real results. With a db is fine, you just type creds, but a small printout at the end with successful attempts would be useful if no db is connected.

msf auxiliary(openvas_omp_login) > run

[] 192.168.1.42:9390 OpenVAS OMP - Connecting and checking username and passwords
[
] 192.168.1.42:9390 OPENVAS_OMP - [1/2] - OpenVAS OMP - Trying user:'admin' with password:'admin'
[-] 192.168.1.42:9390 OPENVAS_OMP - [1/2] - OpenVAS OMP - Rejected user: 'admin' with password: 'admin': <authenticate_response status="400" status_text="Authentication failed"/><omp_response status="400" status_text="First command must be AUTHENTICATE, COMMANDS or GET_VERSION"/>
[] 192.168.1.42:9390 OPENVAS_OMP - [2/2] - OpenVAS OMP - Trying user:'admin' with password:'password'
[+] 192.168.1.42:9390 OpenVAS OMP - SUCCESSFUL login for 'admin' : 'password'
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(openvas_omp_login) >

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Nov 16, 2012

Contributor

Or, perhaps the real solution is to make some of the messages viewed only when VERBOSE is true.

Not sure.

Contributor

brandonprry commented Nov 16, 2012

Or, perhaps the real solution is to make some of the messages viewed only when VERBOSE is true.

Not sure.

@kost

This comment has been minimized.

Show comment
Hide comment
@kost

kost Nov 16, 2012

Contributor

This is what I found troublesome on almost all aux/login modules in msf (for example: ssh_login). Try turning off verbose. Then you will get only success ones.

Contributor

kost commented Nov 16, 2012

This is what I found troublesome on almost all aux/login modules in msf (for example: ssh_login). Try turning off verbose. Then you will get only success ones.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Nov 16, 2012

Contributor

Ah, I see. np

Contributor

brandonprry commented Nov 16, 2012

Ah, I see. np

@kost

This comment has been minimized.

Show comment
Hide comment
@kost

kost Nov 16, 2012

Contributor

By code exec, you mean this http://www.openvas.org/OVSA20121112.html or there is something newer? :)

Contributor

kost commented Nov 16, 2012

By code exec, you mean this http://www.openvas.org/OVSA20121112.html or there is something newer? :)

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Nov 16, 2012

Contributor

Yes ,but don't steal it, I plan on finishing the metasploit module tomorrow night. :P

Contributor

brandonprry commented Nov 16, 2012

Yes ,but don't steal it, I plan on finishing the metasploit module tomorrow night. :P

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Nov 16, 2012

Contributor

This is a great addition since that code exec requires authentication into greenbone

Contributor

brandonprry commented Nov 16, 2012

This is a great addition since that code exec requires authentication into greenbone

@kost

This comment has been minimized.

Show comment
Hide comment
@kost

kost Nov 16, 2012

Contributor

No worries. If you need any help writting it - let me know :)

Contributor

kost commented Nov 16, 2012

No worries. If you need any help writting it - let me know :)

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Nov 16, 2012

Contributor

Sorry, forgot to paste the output of gsad

msf auxiliary(openvas_gsad_login) > run

[] 192.168.1.43:443 OPENVAS_GSAD - [1/1] - OpenVAS gsad - - Trying username:'admin' with password:'adm'
[-] 192.168.1.43:443 OPENVAS_GSAD - [1/1] - OpenVAS gsad - FAILED LOGIN. 'admin' : 'adm'
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(openvas_gsad_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf auxiliary(openvas_gsad_login) > run

[] 192.168.1.43:443 OPENVAS_GSAD - [1/2] - OpenVAS gsad - - Trying username:'admin' with password:'admin'
[+] 192.168.1.43:443 OpenVAS gsad - SUCCESSFUL LOGIN. 'admin' : 'admin'
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(openvas_gsad_login) >

Contributor

brandonprry commented Nov 16, 2012

Sorry, forgot to paste the output of gsad

msf auxiliary(openvas_gsad_login) > run

[] 192.168.1.43:443 OPENVAS_GSAD - [1/1] - OpenVAS gsad - - Trying username:'admin' with password:'adm'
[-] 192.168.1.43:443 OPENVAS_GSAD - [1/1] - OpenVAS gsad - FAILED LOGIN. 'admin' : 'adm'
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(openvas_gsad_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf auxiliary(openvas_gsad_login) > run

[] 192.168.1.43:443 OPENVAS_GSAD - [1/2] - OpenVAS gsad - - Trying username:'admin' with password:'admin'
[+] 192.168.1.43:443 OpenVAS gsad - SUCCESSFUL LOGIN. 'admin' : 'admin'
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(openvas_gsad_login) >

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Nov 18, 2012

Contributor

These are probably OK to merge. I setup an old openvas install in a VM and successfully ran it.

EDIT: BTW I had to change RPORT from 9391 to 9390. I installed from the ubuntu 12.04 repos.

msf auxiliary(openvas_otp_login) > run

[] 192.168.1.44:9390 OpenVAS OTP - Connecting and checking username and passwords
[
] 192.168.1.44:9390 OPENVAS_OTP - [1/2] - OpenVAS OTP - Trying user:'admin' with password:'admin'
[-] 192.168.1.44:9390 OPENVAS_OTP - [1/2] - OpenVAS OTP - Rejected user: 'admin' with password: 'admin': Bad login attempt !
[] 192.168.1.44:9390 OPENVAS_OTP - [2/2] - OpenVAS OTP - Trying user:'admin' with password:'password'
[+] 192.168.1.44:9390 OpenVAS OTP - SUCCESSFUL login for 'admin' : 'password'
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(openvas_otp_login) >

Contributor

brandonprry commented Nov 18, 2012

These are probably OK to merge. I setup an old openvas install in a VM and successfully ran it.

EDIT: BTW I had to change RPORT from 9391 to 9390. I installed from the ubuntu 12.04 repos.

msf auxiliary(openvas_otp_login) > run

[] 192.168.1.44:9390 OpenVAS OTP - Connecting and checking username and passwords
[
] 192.168.1.44:9390 OPENVAS_OTP - [1/2] - OpenVAS OTP - Trying user:'admin' with password:'admin'
[-] 192.168.1.44:9390 OPENVAS_OTP - [1/2] - OpenVAS OTP - Rejected user: 'admin' with password: 'admin': Bad login attempt !
[] 192.168.1.44:9390 OPENVAS_OTP - [2/2] - OpenVAS OTP - Trying user:'admin' with password:'password'
[+] 192.168.1.44:9390 OpenVAS OTP - SUCCESSFUL login for 'admin' : 'password'
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(openvas_otp_login) >

@kost

This comment has been minimized.

Show comment
Hide comment
@kost

kost Nov 19, 2012

Contributor

By the new convention (AFAIK): 9390 is for OMP and 9391 is for NTP (and this is how I made defaults in these modules).

Contributor

kost commented Nov 19, 2012

By the new convention (AFAIK): 9390 is for OMP and 9391 is for NTP (and this is how I made defaults in these modules).

+ each_user_pass do |user, pass|
+ do_login(user, pass)
+ end
+ end

This comment has been minimized.

@wchen-r7

wchen-r7 Nov 19, 2012

Contributor

This 'end' looks odd. Did you actually mean here, or after the ::Exception => e handling??

@wchen-r7

wchen-r7 Nov 19, 2012

Contributor

This 'end' looks odd. Did you actually mean here, or after the ::Exception => e handling??

This comment has been minimized.

@kost

kost Nov 23, 2012

Contributor

Thanks - fixed!

@kost

kost Nov 23, 2012

Contributor

Thanks - fixed!

+ each_user_pass do |user, pass|
+ do_login(user, pass)
+ end
+ end

This comment has been minimized.

@wchen-r7

wchen-r7 Nov 19, 2012

Contributor

Same question as above for this line.

@wchen-r7

wchen-r7 Nov 19, 2012

Contributor

Same question as above for this line.

This comment has been minimized.

@kost

kost Nov 23, 2012

Contributor

Thanks - fixed!

@kost

kost Nov 23, 2012

Contributor

Thanks - fixed!

+ def run_host(ip)
+ begin
+ res = send_request_cgi({
+ 'uri' => "#{datastore['URI']}",

This comment has been minimized.

@wchen-r7

wchen-r7 Nov 19, 2012

Contributor

or you can just do:

'uri' => datastore['URI']

@wchen-r7

wchen-r7 Nov 19, 2012

Contributor

or you can just do:

'uri' => datastore['URI']

This comment has been minimized.

@kost

kost Nov 23, 2012

Contributor

Thanks - fixed!

@kost

kost Nov 23, 2012

Contributor

Thanks - fixed!

+ 'uri' => "#{datastore['URI']}",
+ 'method' => 'POST',
+ 'headers' => headers,
+ 'data' => data

This comment has been minimized.

@wchen-r7

wchen-r7 Nov 19, 2012

Contributor

If you're using send_request_cgi(), you should take advantage of 'vars_post' instead of 'post'.

@wchen-r7

wchen-r7 Nov 19, 2012

Contributor

If you're using send_request_cgi(), you should take advantage of 'vars_post' instead of 'post'.

This comment has been minimized.

@jlee-r7

jlee-r7 Nov 20, 2012

Contributor

I think wchen-r7 meant "'vars_post' instead of 'data'"

@jlee-r7

jlee-r7 Nov 20, 2012

Contributor

I think wchen-r7 meant "'vars_post' instead of 'data'"

This comment has been minimized.

@kost

kost Nov 23, 2012

Contributor

Thanks - fixed!

@kost

kost Nov 23, 2012

Contributor

Thanks - fixed!

+ begin
+ res = send_request_cgi({
+ 'encode' => true,
+ 'uri' => "#{datastore['URI']}",

This comment has been minimized.

@wchen-r7

wchen-r7 Nov 19, 2012

Contributor

Can be just:

'uri' => datastore['URI']

@wchen-r7

wchen-r7 Nov 19, 2012

Contributor

Can be just:

'uri' => datastore['URI']

This comment has been minimized.

@kost

kost Nov 23, 2012

Contributor

Thanks - fixed!

@kost

kost Nov 23, 2012

Contributor

Thanks - fixed!

+ vprint_error("#{msg} Rejected user: '#{user}' with password: '#{pass}': #{@result}")
+ return :fail
+ end
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

This comment has been minimized.

@jlee-r7

jlee-r7 Nov 20, 2012

Contributor

All of these are ::Rex::ConnectionErrors, just rescue that instead of all these.

@jlee-r7

jlee-r7 Nov 20, 2012

Contributor

All of these are ::Rex::ConnectionErrors, just rescue that instead of all these.

This comment has been minimized.

@kost

kost Nov 23, 2012

Contributor

Thanks! Fixed!

@kost

kost Nov 23, 2012

Contributor

Thanks! Fixed!

@kost

This comment has been minimized.

Show comment
Hide comment
@kost

kost Nov 23, 2012

Contributor

Thanks on comments, I think I fixed all of them. Let me know if there's anything else I can do,

Contributor

kost commented Nov 23, 2012

Thanks on comments, I think I fixed all of them. Let me know if there's anything else I can do,

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Nov 24, 2012

Contributor

Code looks good to me. brandonprry, good to go?

Contributor

wchen-r7 commented Nov 24, 2012

Code looks good to me. brandonprry, good to go?

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Nov 24, 2012

Contributor

I am quite happy with the functionality.

Contributor

brandonprry commented Nov 24, 2012

I am quite happy with the functionality.

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Nov 24, 2012

Contributor

Ok, cool. Thanks.

Contributor

wchen-r7 commented Nov 24, 2012

Ok, cool. Thanks.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Nov 24, 2012

Contributor

AKA I think it is good to merge :)

Contributor

brandonprry commented Nov 24, 2012

AKA I think it is good to merge :)

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Nov 24, 2012

Contributor

Checked with msftidy, ruby 1.9 and 1.8... merging...

Contributor

wchen-r7 commented Nov 24, 2012

Checked with msftidy, ruby 1.9 and 1.8... merging...

@wchen-r7 wchen-r7 merged commit ec3ce49 into rapid7:master Nov 24, 2012

1 check passed

default The Travis build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment