added Lantronix telnet password recovery module #906

Merged
merged 2 commits into from Oct 17, 2012

Projects

None yet

2 participants

Contributor
jgor commented Oct 14, 2012

Description: This module retrieves the setup record from Lantronix serial-to-ethernet devices via the config port (30718/udp, enabled by default) and extracts the telnet password.

Lantronix device configuration is performed via telnet to port 9999, optionally protected by a 4-character password. Existing MSF module auxiliary/scanner/telnet/lantronix_telnet_version gets the version banner of this telnet service. This new module adds the ability to retrieve the credentials for the telnet service.

The code was modeled after modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb. It has been tested against a Lantronix CoBox-E2 device running the latest firmware (v5.8.0.1), reset to factory defaults and configured with a telnet password. It is based on PoC code of mine that I have successfully run against at least two additional Lantronix models, and theoretically will work on any device that uses the standard Lantronix discovery/config port (30718/udp) and supports accessing setup records through this port.

I can make a test device reachable if necessary. Let me know if more info is needed.

Contributor

Hi jgor,

First of all, thanks for your contribution. Access to a test device would be awesome to test the module. If you can't provide it, a pcap capture with the module in action would be necessary to verify which the module is working. Please feel free to contact at juan.vazquez [at] metasploit.com in case you could provide access to a test device.

Contributor
jgor commented Oct 16, 2012

Test device connection details emailed.

@jvazquez-r7 jvazquez-r7 and 1 other commented on an outdated diff Oct 17, 2012
...auxiliary/scanner/telnet/lantronix_telnet_password.rb
@@ -0,0 +1,111 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+###
jvazquez-r7
jvazquez-r7 Oct 17, 2012 Contributor

I think this comment L10-L15 can be deleted

jgor
jgor Oct 17, 2012 Contributor

Yep, forgot to get rid of that from the sample module.

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Oct 17, 2012
...auxiliary/scanner/telnet/lantronix_telnet_password.rb
+
+###
+#
+# This sample auxiliary module simply displays the selected action and
+# registers a custom command that will show up when the module is used.
+#
+###
+class Metasploit4 < Msf::Auxiliary
+ include Msf::Exploit::Remote::Udp
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'Lantronix Telnet Password Recovery',
+ 'Version' => '$Revision: 1 $',
jvazquez-r7
jvazquez-r7 Oct 17, 2012 Contributor

This was for svn purposes, can be deleted

@jvazquez-r7 jvazquez-r7 commented on the diff Oct 17, 2012
...auxiliary/scanner/telnet/lantronix_telnet_password.rb
+ end
+
+ if password
+ print_good("#{rhost} - Telnet password found: #{password.to_s}")
+ report_auth_info({
+ :host => rhost,
+ :port => 9999,
+ :sname => 'telnet',
+ :duplicate_ok => false,
+ :pass => password,
+ })
+ end
+
+ end
+
+ def parse_reply(pkt)
jvazquez-r7
jvazquez-r7 Oct 17, 2012 Contributor

I don't fully understand the parse_reply function, why don't just search if it's a setup_record (seems it is when setup_record[3] == 0xf9), and if it is a setup record, return the password?

Sure I'm forgetting things.... really I just can test the setup response from the device put available by jgor (thanks :))

jgor
jgor Oct 17, 2012 Contributor

The pkt[1] stuff (host info of the response from recvfrom()) is something I found in other existing modules, I assume it's a convention for trimming up ipv6 addresses. But now that I look at it again I don't use that value anyway, whoops...so it can all be removed. Thanks!

Contributor

On the other hand I've tested and the module is mainly working (thanks jgor!), awaiting for jgor update for comments.

remsf  auxiliary(lantronix_telnet_password) > rexploit
[*] Reloading module...
[+] xx.xx.xx.xx - Telnet password found: xxxxxx
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(lantronix_telnet_password) > hosts
Hosts
=====
address         mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------         ---  ----  -------  ---------  -----  -------  ----  --------
xx.xx.xx.xx             Unknown                    device         
msf  auxiliary(lantronix_telnet_password) > creds
Credentials
===========
host            port  user  pass  type      active?
----            ----  ----  ----  ----      -------
xx.xx.xx.xx  9999        xxxxxx  password  true
Contributor
jgor commented Oct 17, 2012

Agreed on all fronts, 1) the sample module comment should be deleted, 2) the svn version line can go away, 3) all the pkt[1] code in parse_reply() should be deleted. I'm a bit new to this process, do I make the changes on my side and re-commit or do you need to make the changes? Thanks!

Contributor

You can do the changes by yourself, and when you're ready, from your local clone of your git repo, on the same branch you have used to open this pull request just do:

git commit -am "description for changes"
git push origin branch_name

And this pull request will be updated automatically :) Feel free to ask if you have any doubts about this. Hopefully soon all we will be github masters! :D

Contributor
jgor commented Oct 17, 2012

Done, thanks for the pointers!

@jvazquez-r7 jvazquez-r7 merged commit e22059d into rapid7:master Oct 17, 2012
Contributor

Awesome! merged :) really thanks jgor!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment