metasploit-gs/lib/msf/core/auxiliary/f5.rb

# -*- coding: binary -*-

module Msf
  ###
  #
  # This module provides methods for working with F5 equipment
  #
  ###
  module Auxiliary::F5
    include Msf::Auxiliary::Report

    def f5_config_eater(thost, tport, config, store = true)

      credential_data = {
        address: thost,
        port: tport,
        protocol: 'tcp',
        workspace_id: myworkspace_id,
        origin_type: :service,
        private_type: :nonreplayable_hash,
        # https://support.f5.com/csp/article/K65081001
        jtr_format: 'sha512,crypt', # default on the devices 11.4.0+
        service_name: '',
        module_fullname: fullname,
        status: Metasploit::Model::Login::Status::UNTRIED
      }

      # Default SNMP to UDP
      if tport == 161
        credential_data[:protocol] = 'udp'
      end

      if store
        store_loot('f5.config', 'text/plain', thost, config.strip, 'config.txt', 'F5 Configuration')
      end

      host_info = {
        host: thost,
        os_name: 'F5'
      }
      report_host(host_info)

      # generated by: tmsh list auth user

      # auth user admin {
      #    description "Admin User"
      # encrypted-password $6$4FAWSZLi$VeSaxPM2/D1JOhMRN/GMkt5wHcbIVKaIC2g765ZD0VA9ZEEm8iyK40/ncGrZIGyJyJF4ivkScNZ59HWAIKMML/
      #    partition Common
      #    partition-access {
      #        all-partitions {
      #            role admin
      #        }
      #    }
      #    shell none
      # }

      config.scan(%r{auth user ([^ ]+) {\s*description "?([^\n"]+)"?\n\s*encrypted-password ([$\w\+\./]+)\n[\w\s\-{}]+\s+shell (tmsh|bash|none)\n}}mi).each do |result|
        username = result[0].strip
        description = result[1].strip
        hash = result[2].strip
        shell = result[3].strip
        cred = credential_data.dup
        cred[:username] = username
        cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(hash)
        cred[:private_data] = hash
        create_credential_and_login(cred)
        print_good("#{thost}:#{tport} Username '#{username}' with description '#{description}' and shell #{shell} with hash #{hash}")
      end

      # generated by: tmsh list sys snmp communities

      # sys snmp {
      #    communities {
      #        comm-public {
      #            community-name public
      #            source default
      #        }
      #        ro {
      #            community-name rocommunity
      #        }
      #        rw {
      #            access rw
      #            community-name rwcommunity
      #        }
      #    }
      # }

      config.scan(/(?:(access rw)?\n)\s+community-name (\w+)/).each do |result|
        if result[0].nil?
          access = 'RO'
        else
          access = 'RW'
        end
        cred = credential_data.dup
        cred[:port] = 161
        cred[:protocol] = 'udp'
        cred[:service_name] = 'snmp'
        cred[:jtr_format] = ''
        cred[:private_data] = result[1].strip
        cred[:private_type] = :password
        cred[:access_level] = access
        create_credential_and_login(cred)
        print_good("#{thost}:#{tport} SNMP Community '#{result[1].strip}' with #{access} access")
      end

      # generated by: cat /config/bigip.conf

      # cm device /Common/f5bigip.ragegroup.com {
      #    active-modules { "BIG-IP, VE Trial|VTFAAAA-AAAAAAA|Rate Shaping|External Interface and Network HSM, VE|SDN Services, VE|SSL, Forward Proxy, VE|BIG-IP VE, Multicast Routing|APM, Limited|SSL, VE|DNS (1K QPS), VE|Routing Bundle, VE|ASM, VE|Crytpo Offload, VE, Tier 1 (25M - 200M)|Max Compression, VE|AFM, VE|DNSSEC|Anti-Virus Checks|Base Endpoint Security Checks|Firewall Checks|Network Access|Secure Virtual Keyboard|APM, Web Application|Machine Certificate Checks|Protected Workspace|Remote Desktop|App Tunnel|VE, Carrier Grade NAT (AFM ONLY)|PSM, VE" }
      #    base-mac 00:11:11:a1:a1:a1
      #    build 0.0.9
      #    cert /Common/dtdi.crt
      #    chassis-id 164aaf79-aace-3494-1237671446c7
      #    configsync-ip 10.10.10.222
      #    edition "Point Release 2"
      #    hostname f5bigip.home.com
      #    key /Common/dtdi.key
      #    management-ip 1.1.1.1
      #    marketing-name "BIG-IP Virtual Edition"
      #    platform-id Z100
      #    product BIG-IP
      #    self-device true
      #    time-zone America/Los_Angeles
      #    version 15.1.0.2
      # }

      if /^cm device (?<content>.+)}$/m =~ config
        if /hostname (?<hostname>[\w\.-]+)$/i =~ content
          print_good("#{thost}:#{tport} Hostname: #{hostname}")
          host_info[:name] = hostname
          report_host(host_info)
        end
        if /base-mac (?<mac>[\d:a-f]+)$/i =~ content
          print_good("#{thost}:#{tport} MAC Address: #{mac}")
          host_info[:mac] = mac
          report_host(host_info)
        end
        if /management-ip (?<ip>[\d\.]+)$/ =~ content
          print_good("#{thost}:#{tport} Management IP: #{ip}")
        end
        if /product (?<product>[\w-]+)$/i =~ content
          print_good("#{thost}:#{tport} Product #{product}")
          host_info[:os_name] = "F5 #{product}"
          report_host(host_info)
        end
        if /version (?<version>[\d\.]+)$/i =~ content
          print_good("#{thost}:#{tport} OS Version: #{version}")
          host_info[:os_flavor] = version
          report_host(host_info)
        end
      end

      # generated by: cat /config/bigip.conf

      # sys file ssl-key /Common/f5_api_com.key {
      #    cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:f5_api_com.key_63086_1
      #    passphrase $M$iE$cIdy72xi7Xbk3kazSrpdfscd+oD1pdsXJbwhvhMPiss4Iw0RKIJQS/CuSReZl/+kseKpPCNpBWNWOOaBCwlQ0v4sl7ZUkxCymh5pfFNAjhc=
      #    revision 1
      #    source-path file:///config/ssl/ssl.key/f5_api_com.key
      # }
      config.scan(%r{^sys file ssl-key (.+) \{.+passphrase ([$\w/\+=]+).+source-path file://([\w/\.]+)}mi).each do |result|
        username = result[0].strip # its not really a username, but we'll leave it as is since its a common name
        hash = result[1].strip
        file = result[2].strip
        cred = credential_data.dup
        cred[:username] = username
        cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(hash)
        cred[:private_data] = hash
        create_credential_and_login(cred)
        print_good("#{thost}:#{tport} SSL Key '#{username}' and hash #{hash} for #{file}")
      end

      # generated by tmsh show sys crypto master-key

      # --------------------------------------------------------------------------------
      # Sys::Master-Key
      # --------------------------------------------------------------------------------
      # master-key hash  <EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==>
      # previous hash    <EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==>

      config.scan(%r{(master-key|previous) hash\s+<([\w\+/=]+)>}i). each do |result|
        key_type = result[0].strip
        key = result[1].strip
        cred = credential_data.dup
        cred[:username] = "F5 #{key_type} hash"
        cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(key) # will come bacy empty
        cred[:private_data] = key
        create_credential_and_login(cred)
        print_good("#{thost}:#{tport} F5 #{key_type} hash #{key}")
      end

    end
  end
end