From 081a3437a4d18bdd1e5730d4b9f0dc78a182a58e Mon Sep 17 00:00:00 2001 From: Tom Sellers Date: Sun, 24 Aug 2014 09:38:15 -0500 Subject: [PATCH 1/3] Refactor for Credentials gem --- modules/post/windows/gather/enum_snmp.rb | 83 +++++++++++++++--------- 1 file changed, 54 insertions(+), 29 deletions(-) diff --git a/modules/post/windows/gather/enum_snmp.rb b/modules/post/windows/gather/enum_snmp.rb index ab74be16e4..e86bf12d10 100644 --- a/modules/post/windows/gather/enum_snmp.rb +++ b/modules/post/windows/gather/enum_snmp.rb @@ -50,7 +50,7 @@ class Metasploit3 < Msf::Post def community_strings comm_str = [] tbl = Rex::Ui::Text::Table.new( - 'Header' => "Comunity Strings", + 'Header' => "Community Strings", 'Indent' => 1, 'Columns' => [ @@ -63,33 +63,30 @@ class Metasploit3 < Msf::Post if not comm_str.nil? and not comm_str.empty? comm_str.each do |c| + #comm_type is for human display, access_type is passed to the credential + #code using labels consistent with the SNMP login scanner case registry_getvaldata(key,c) when 4 - comm_type = "READ ONLY" + comm_type = 'READ ONLY' + access_type = 'read-only' when 1 - comm_type = "DISABLED" + comm_type = 'DISABLED' + access_type = 'disabled' when 2 - comm_type = "NOTIFY" + comm_type = 'NOTIFY' + access_type = 'notify' when 8 - comm_type = "READ & WRITE" + comm_type = 'READ & WRITE' + access_type = 'read-write' when 16 - comm_type = "READ CREATE" + comm_type = 'READ CREATE' + access_type = 'read-create' end # Save data to table tbl << [c,comm_type] - # Save Community Strings to DB - report_auth_info( - :host => session.sock.peerhost, - :port => 161, - :proto => 'udp', - :sname => 'snmp', - :user => '', - :pass => c, - :type => "snmp.community", - :duplicate_ok => true - ) + register_creds(session.sock.peerhost, 161, '', c, 'snmp', access_type) end print_status("") @@ -116,21 +113,13 @@ class Metasploit3 < Msf::Post if not trap_hosts.nil? and not trap_hosts.empty? trap_hosts.each do |c| print_status("Community Name: #{c}") - session.framework.db.report_auth_info( - :host => session.sock.peerhost, - :port => 161, - :proto => 'udp', - :sname => 'snmp', - :user => '', - :pass => c, - :type => "snmp.community", - :duplicate_ok => true - ) + t_comm_key = key+"\\"+c registry_enumvals(t_comm_key).each do |t| - print_status("\tDestination: " + registry_getvaldata(t_comm_key,t)) + trap_dest = registry_getvaldata(t_comm_key,t) + print_status("\tDestination: #{trap_dest}") + register_creds(trap_dest, 162, '', c, 'snmptrap', 'trap') end - end else print_status("No Traps are configured") @@ -152,4 +141,40 @@ class Metasploit3 < Msf::Post print_status("\tCommunity Strings can be accessed from any host") end end + + def register_creds(client_ip, client_port, user, pass, service_name, access_type) + # Build service information + service_data = { + address: client_ip, + port: client_port, + service_name: service_name, + protocol: 'udp', + workspace_id: myworkspace_id + } + + # Build credential information + credential_data = { + access_level: access_type, + origin_type: :session, + post_reference_name: self.fullname, + private_data: pass, + private_type: :password, + username: user, + workspace_id: myworkspace_id + } + + credential_data[:session_id] = session.db_record.id if !session.db_record.nil? + credential_data.merge!(service_data) + credential_core = create_credential(credential_data) + + # Assemble the options hash for creating the Metasploit::Credential::Login object + login_data = { + core: credential_core, + status: Metasploit::Model::Login::Status::UNTRIED, + workspace_id: myworkspace_id + } + + login_data.merge!(service_data) + create_credential_login(login_data) + end end From 601c5515f8c420f12f04e50b9e989dd63d7b2ffd Mon Sep 17 00:00:00 2001 From: Tom Sellers Date: Sun, 24 Aug 2014 17:18:31 -0500 Subject: [PATCH 2/3] Corrected 3 issues identified by jlee-r7 --- modules/post/windows/gather/enum_snmp.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/post/windows/gather/enum_snmp.rb b/modules/post/windows/gather/enum_snmp.rb index e86bf12d10..8ad452919a 100644 --- a/modules/post/windows/gather/enum_snmp.rb +++ b/modules/post/windows/gather/enum_snmp.rb @@ -63,8 +63,8 @@ class Metasploit3 < Msf::Post if not comm_str.nil? and not comm_str.empty? comm_str.each do |c| - #comm_type is for human display, access_type is passed to the credential - #code using labels consistent with the SNMP login scanner + # comm_type is for human display, access_type is passed to the credential + # code using labels consistent with the SNMP login scanner case registry_getvaldata(key,c) when 4 comm_type = 'READ ONLY' @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Post # Save data to table tbl << [c,comm_type] - register_creds(session.sock.peerhost, 161, '', c, 'snmp', access_type) + register_creds(session.session_host, 161, '', c, 'snmp', access_type) end print_status("") @@ -156,6 +156,7 @@ class Metasploit3 < Msf::Post credential_data = { access_level: access_type, origin_type: :session, + session_id: session_db_id, post_reference_name: self.fullname, private_data: pass, private_type: :password, @@ -163,7 +164,6 @@ class Metasploit3 < Msf::Post workspace_id: myworkspace_id } - credential_data[:session_id] = session.db_record.id if !session.db_record.nil? credential_data.merge!(service_data) credential_core = create_credential(credential_data) From 0b820c59b16677c5862de5cce30fe5613916c013 Mon Sep 17 00:00:00 2001 From: Tom Sellers Date: Wed, 27 Aug 2014 18:34:15 -0500 Subject: [PATCH 3/3] Fix to self.refname --- modules/post/windows/gather/enum_snmp.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/windows/gather/enum_snmp.rb b/modules/post/windows/gather/enum_snmp.rb index 8ad452919a..34e6bcb74a 100644 --- a/modules/post/windows/gather/enum_snmp.rb +++ b/modules/post/windows/gather/enum_snmp.rb @@ -157,7 +157,7 @@ class Metasploit3 < Msf::Post access_level: access_type, origin_type: :session, session_id: session_db_id, - post_reference_name: self.fullname, + post_reference_name: self.refname, private_data: pass, private_type: :password, username: user,