Add FreeSwitch Login auxiliary module#16723
Conversation
cdelafuente-r7
left a comment
cdelafuente-r7
left a comment
There was a problem hiding this comment.
Thanks @krastanoel for this contribution! I tested against a Docker installation and it works great! I also left a few comments/suggestions for you to review, when you get a chance.
| @@ -0,0 +1,61 @@ | |||
| ## Description | |||
There was a problem hiding this comment.
Please, could run msftidy_docs.rb and address what it reports?
ruby tools/dev/msftidy_docs.rb documentation/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.md
There was a problem hiding this comment.
Thank you @cdelafuente-r7 for reviewing the module and thanks for the hint I didn't know this. I've run the msftidy docs and there are 5 warnings that I've corrected.
| @check = check_host(ip) | ||
| case @check.code | ||
| when 'safe' | ||
| fail_with(Failure::NoAccess, @check.reason) | ||
| when 'unknown' | ||
| fail_with(Failure::Unknown, @check.reason) | ||
| end |
There was a problem hiding this comment.
This can be handled automatically by the AutoCheck mixin, which calls the #check_host method and fails or continues according to the check code that is returned. You can remove these lines and just prepend the mixin at the beginning of the class definition:
...
include Msf::Auxiliary::AuthBrute
prepend Msf::Exploit::Remote::AutoCheck
| @check = check_host(ip) | |
| case @check.code | |
| when 'safe' | |
| fail_with(Failure::NoAccess, @check.reason) | |
| when 'unknown' | |
| fail_with(Failure::Unknown, @check.reason) | |
| end |
There was a problem hiding this comment.
Thanks I forgot this mixin. Also added rescue when NoMethodError raised in case user use ForceExploit against unknown services.
There was a problem hiding this comment.
Thanks!
Is there a specific location where this exception might be raised when scanning against unknown services?
Usually, NoMethodError exceptions are related to an issue in the code and should not happen. If such exception is raised, this means something needs to be fixed in the code to add the necessary checks or use the safe navigation operator to avoid it.
There was a problem hiding this comment.
Thank you again for the hint! You're right the issue is in the code:
[*] 192.168.56.1:4444 - Running automatic check ("set AutoCheck false" to disable)
[!] 192.168.56.1:4444 - Cannot reliably check exploitability. Unable to determine the service fingerprint ForceExploit is enabled, proceeding with exploitation.
[-] 192.168.56.1:4444 - Auxiliary failed: NoMethodError undefined method `strip' for nil:NilClass
[-] 192.168.56.1:4444 - Call stack:
[-] 192.168.56.1:4444 - /home/git/metasploit-framework/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb:96:in `block in run_host'
I didn't pay attention on the error message for the strip method to use the safe navigation operator.
| cred_collection = Metasploit::Framework::PrivateCredentialCollection.new( | ||
| password: datastore['PASSWORD'], | ||
| pass_file: datastore['PASS_FILE'] | ||
| ) |
There was a problem hiding this comment.
There is one potential issue when using the LoginScanner with credentials without usernames. During the scan, scan! will iterate around the credentials and keep track of successful login in successful_users data structure. Since there is no username, nil will be stored. The next iterations will check if the user's password has been already found by checking if the username (also nil) is present in successful_users. Since the unique username is nil, this will skip all the subsequent credentials.
As a result of this, all the credentials after the one that has been successful will be skipped. This means the datastore option STOP_ON_SUCCESS has no effect, even if it is set to false. This is something we could improve in Framework, but in the meantime, it might be a good idea to document this behavior and deregister the datastore option STOP_ON_SUCCESS to avoid confusion.
There was a problem hiding this comment.
I didn't know this, I've deregister the STOP_ON_SUCCESS option but not sure where and how to document this behavior.
There was a problem hiding this comment.
Thanks! You can add a line to documentation/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.md, in the Description section, saying that the module stops as soon as a valid password is found. It will be fine.
There was a problem hiding this comment.
I noticed this option is still used by the module line 73 and should also be removed. The stop_on_success attribute cannot be removed entirely, otherwise the scanner validation routine will fail. So, setting this attribute to true should be fine. Also, that would be a good idea to add a comment explaining this attribute will have no effect due to the scanner behavior when scanning without usernames.
scanner = Metasploit::Framework::LoginScanner::FreeswitchEventSocket.new(
host: ip,
port: rport,
cred_details: cred_collection,
stop_on_success: true,
connection_timeout: 10
)…inst unknown service
Use include instead of regex and rescue stream closed error Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com>
this attribute is needed by LoginScanner module but will have no effect
cdelafuente-r7
left a comment
cdelafuente-r7
left a comment
There was a problem hiding this comment.
Thanks for updating this @krastanoel! Everything looks good now. I tested against a docker installation of FreeSwitch and verified the brute force attack worked. I'll go ahead and land it. This is a great module, thank you for your contribution!
Example output
msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > rerun verbose=true RHOSTS=127.0.0.1 PASS_FILE=/home/msf/tmp/password_list.txt RPORT=8022
[*] Reloading module...
[*] 127.0.0.1:8022 - Running automatic check ("set AutoCheck false" to disable)
[+] 127.0.0.1:8022 - The target appears to be vulnerable.
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: ClueCon (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: password (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: 123456 (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: 12345678 (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: 1234 (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: qwerty (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: 12345 (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: dragon (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: pussy (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: baseball (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: football (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: letmein (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: monkey (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: 696969 (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: abc123 (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: mustang (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: michael (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: shadow (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: master (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: jennifer (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: 111111 (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: 2000 (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: jordan (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: superman (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: harley (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: 1234567 (Incorrect: -ERR invalid)
[-] 127.0.0.1:8022 - 127.0.0.1:8022 - LOGIN FAILED: fuckme (Incorrect: -ERR invalid)
[+] 127.0.0.1:8022 - 127.0.0.1:8022 - Login Successful: hunter (Successful: +OK accepted)
[*] 127.0.0.1:8022 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
127.0.0.1 127.0.0.1 8022/tcp (freeswitch) hunter Password
cdelafuente-r7
added
the
rn-modules
Release NotesThis add an auxiliary scanner module that bruteforces the FreeSwitch's event socket service login interface to guess the password. |
3 participants
This module is a login utility to find the password of the FreeSWITCH event socket service by bruteforcing the login interface. Note that this service does not require a username to log in; login is done purely via supplying a valid password.
Docker Installation
Verification
List the steps needed to make sure this thing works
msfconsoleuse auxiliary/scanner/misc/freeswitch_event_socket_loginset RHOSTS [ips]runDemo
FreeSWITCH 1.10.7 Linux Debian 10 (buster)