Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add http login scanner for Onion Omega2 devices #11661

Merged
merged 3 commits into from
May 21, 2019
Merged

Add http login scanner for Onion Omega2 devices #11661

merged 3 commits into from
May 21, 2019

Conversation

nsa
Copy link
Contributor

@nsa nsa commented Mar 30, 2019

The onion_omega2_login module is used to brute-force credentials for Onion Omage2 devices.

Vulnerable Application

  • Onion Omage2 HTTPd Service

Onion Omega2

Onion Omega2 OnionOS Web Page

Verification Steps

  1. Plug your Onion Omega2 device to a power source.
    • First time setup can be found here
  2. Connect its Wi-Fi network.
  3. Start msfconsole
  4. Do: use auxiliary/scanner/http/onion_omega2_login
  5. Do: set RHOSTS 192.168.3.1
  6. Do: set USERPASS_FILE <user pass dictionary>
    • username and password seperated by space and one pair per line.
  7. Do: run

Sample userpass file:

root 123456
root password
root 123456789
root 12345678
root 12345
root 10601
root qwerty
root 123123
root 111111
root abc123
root 1234567
root dragon
root 1q2w3e4r
root sunshine
root 654321
root master

Scenario

msf5 > use auxiliary/scanner/http/onion_omega2_login
msf5 auxiliary(scanner/http/onion_omega2_login) > set RHOSTS 192.168.3.1
RHOSTS => 192.168.3.1
msf5 auxiliary(scanner/http/onion_omega2_login) > set USERPASS_FILE something.txt
USERPASS_FILE => something.txt
msf5 auxiliary(scanner/http/onion_omega2_login) > run

[*] Running for 192.168.3.1...
[*] 192.168.3.1:80 - [ 1/16] - root:123456 - Failure
[!] No active DB -- Credential data will not be saved!
[*] 192.168.3.1:80 - [ 2/16] - root:password - Failure
[*] 192.168.3.1:80 - [ 3/16] - root:123456789 - Failure
[*] 192.168.3.1:80 - [ 4/16] - root:12345678 - Failure
[*] 192.168.3.1:80 - [ 5/16] - root:12345 - Failure
[+] Ubus RPC Session: 403e133730879d23a2a0df022e19c19c
[+] 192.168.3.1:80 - [ 6/16] - root:10601 - Success
[*] 192.168.3.1:80 - [ 7/16] - root:qwerty - Failure
[*] 192.168.3.1:80 - [ 8/16] - root:123123 - Failure
[*] 192.168.3.1:80 - [ 9/16] - root:111111 - Failure
[*] 192.168.3.1:80 - [10/16] - root:abc123 - Failure
[*] 192.168.3.1:80 - [11/16] - root:1234567 - Failure
[*] 192.168.3.1:80 - [12/16] - root:dragon - Failure
[*] 192.168.3.1:80 - [13/16] - root:1q2w3e4r - Failure
[*] 192.168.3.1:80 - [14/16] - root:sunshine - Failure
[*] 192.168.3.1:80 - [15/16] - root:654321 - Failure
[*] 192.168.3.1:80 - [16/16] - root:master - Failure
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@bcoles bcoles added the external modules PRs dealing with modules run as their own process label Mar 30, 2019
@h00die
Copy link
Contributor

h00die commented Apr 2, 2019

It looks like this is: https://onion.io/store/omega2-starter-bundle/
Just want to confirm before anyone buys the wrong hardware to test it. I didn't see an option to run the OS in a VM, is that correct?

@nsa
Copy link
Contributor Author

nsa commented Apr 2, 2019

Yes, the device is correct.

The Operating system

The Omega2 runs the Linux Embedded Development Environment (LEDE) operating system, a distribution based on OpenWRT

A quote from the docs

Since it's a custom embedded OS I don't think that there is a VM for it. The login page is accessible through Omega2's Wi-Fi network.

@jrobles-r7
Copy link
Contributor

Please send a PCAP of the module running to msfdev [at] metasploit.com.

@jrobles-r7 @nsa
Apply suggestions from code review
cf6c57c 
Co-Authored-By: nsa <mustafa@calap.co>
@nsa
Copy link
Contributor Author

nsa commented Apr 30, 2019

@jrobles-r7 The PCAP file is sent.

@jrobles-r7 jrobles-r7 merged commit cf6c57c into rapid7:master May 21, 2019
jrobles-r7 added a commit that referenced this pull request May 21, 2019
@jrobles-r7
Land #11661, Onion Omega2 login scanner
6775685
@jrobles-r7
Copy link
Contributor

jrobles-r7 commented May 21, 2019
edited
Loading

Apologies for the delay. Thanks for sending the PCAP over and contributing.

msjenkins-r7 pushed a commit that referenced this pull request May 21, 2019
@jrobles-r7 @msjenkins-r7
Land #11661, Onion Omega2 login scanner
ec56523
@jrobles-r7
Copy link
Contributor

Release Notes

The onion_omega2_login auxiliary module performs login brute-forcing of Onion Omega2 devices.

@gdavidson-r7 gdavidson-r7 added the rn-modules release notes for new or majorly enhanced modules label May 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrobles-r7 jrobles-r7 jrobles-r7 left review comments

Assignees
No one assigned
Labels
docs external modules PRs dealing with modules run as their own process rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@nsa @h00die @jrobles-r7 @bcoles @gdavidson-r7