h00die
3.6 KiB
3.6 KiB
General Notes
This module imports a Juniper configuration file into the database.
This is similar to post/juniper/gather/enum_juniper only access isn't required,
and assumes you already have the file.
Example files for import can be found on git, like this (junos) or this (screenos).
Verification Steps
- Have a Juniper configuration file
- Start
msfconsole use auxiliary/admin/juniper/juniper_configset RHOST x.x.x.xset CONFIG /tmp/file.configset action junosrun
Options
RHOST
Needed for setting services and items to. This is relatively arbitrary.
CONFIG
File path to the configuration file.
Action
JUNOS for JunOS config file, and SCREENOS for ScreenOS config file.
Scenarios
JunOS
root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/juniper_ex2200.config https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ex2200.config
root@metasploit-dev:~/metasploit-framework# ./msfconsole
[*] Starting persistent handler(s)...
msf5 > use auxiliary/admin/juniper/gather/juniper_config
msf5 auxiliary(admin/juniper/gather/juniper_config) > set config /tmp/juniper_ex2200.config
config => /tmp/juniper_ex2200.config
msf5 auxiliary(admin/juniper/gather/juniper_config) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf5 auxiliary(admin/juniper/gather/juniper_config) > run
[*] Running module against 127.0.0.1
[*] Importing config
[+] root password hash: $1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E.
[+] User 2000 named newuser in group super-user found with password hash $1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/.
[+] User 2002 named newuser2 in group operator found with password hash $1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0.
[+] User 2003 named newuser3 in group read-only found with password hash $1$1.YvKzUY$dcAj99KngGhFZTpxGjA93..
[+] User 2004 named newuser4 in group unauthorized found with password hash $1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/.
[+] SNMP community read with permissions read-only
[+] SNMP community public with permissions read-only
[+] SNMP community private with permissions read-write
[+] SNMP community secretsauce with permissions read-write
[+] SNMP community hello there with permissions read-write
[+] radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV
[+] PPTP username 'pap_username' hash $9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR via PAP
[+] Config import successful
[*] Auxiliary module execution completed
ScreenOS
root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/screenos.conf https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ssg5_screenos.conf
root@metasploit-dev:~/metasploit-framework# ./msfconsole
[*] Starting persistent handler(s)...
msf5 > use auxiliary/admin/juniper/gather/juniper_config
msf5 auxiliary(admin/juniper/gather/juniper_config) > set config /tmp/screenos.conf
config => /tmp/screenos.conf
msf5 auxiliary(admin/juniper/gather/juniper_config) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf5 auxiliary(admin/juniper/gather/juniper_config) > set action SCREENOS
action => SCREENOS
msf5 auxiliary(admin/juniper/gather/juniper_config) > run
[*] Running module against 127.0.0.1
[*] Importing config
[+] Admin user netscreen found with password hash nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
[+] User 1 named testuser found with password hash auth. Enable permission: 02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=
[+] Config import successful
[*] Auxiliary module execution completed