CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
require 'metasploit/framework/tcp/client'
2
require 'metasploit/framework/login_scanner/base'
3
require 'metasploit/framework/login_scanner/rex_socket'
4

5
module Metasploit
6
  module Framework
7
    module LoginScanner
8
      # This is the LoginScanner class for dealing with MQTT.
9
      # It is responsible for taking a single target, and a list of
10
      # credentials and attempting them. It then saves the results.
11
      class MQTT
12
        include Metasploit::Framework::LoginScanner::Base
13
        include Metasploit::Framework::LoginScanner::RexSocket
14
        include Metasploit::Framework::Tcp::Client
15

16
        #
17
        # CONSTANTS
18
        #
19
        DEFAULT_PORT         = Rex::Proto::MQTT::DEFAULT_PORT
20
        DEFAULT_SSL_PORT     = Rex::Proto::MQTT::DEFAULT_SSL_PORT
21
        LIKELY_PORTS         = [ DEFAULT_PORT, DEFAULT_SSL_PORT ]
22
        LIKELY_SERVICE_NAMES = [ 'MQTT' ]
23
        PRIVATE_TYPES        = [ :password ]
24
        REALM_KEY            = nil
25

26
        # @!attribute read_timeout
27
        #   @return [int] The timeout use while reading responses from MQTT, in seconds
28
        attr_accessor :read_timeout
29

30
        # @!attribute client_id
31
        #   @return [String] The client identifier to use when connecting to MQTT
32
        attr_accessor :client_id
33

34
        # This method attempts a single login with a single credential against the target
35
        # @param credential [Credential] The credential object to attempt to login with
36
        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
37
        def attempt_login(credential)
38
          result_options = {
39
              credential: credential,
40
              host: host,
41
              port: port,
42
              protocol: 'tcp',
43
              service_name: 'MQTT'
44
          }
45

46
          begin
47
            # Make our initial socket to the target
48
            disconnect if self.sock
49
            connect
50

51
            client_opts = {
52
              username: credential.public,
53
              password: credential.private,
54
              read_timeout: read_timeout,
55
              client_id: client_id
56
            }
57
            client = Rex::Proto::MQTT::Client.new(sock, client_opts)
58
            connect_res = client.connect
59
            client.disconnect
60

61
            if connect_res.return_code == 0
62
              status = Metasploit::Model::Login::Status::SUCCESSFUL
63
              proof = "Successful Connection (Received CONNACK packet)"
64
            else
65
              status = Metasploit::Model::Login::Status::INCORRECT
66
              proof = "Failed Connection (#{connect_res.return_code})"
67
            end
68

69
            result_options.merge!(
70
              proof: proof,
71
              status: status
72
            )
73
          rescue ::EOFError, Errno::ENOTCONN, Rex::ConnectionError, ::Timeout::Error => e
74
            result_options.merge!(
75
              proof: e.message,
76
              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
77
            )
78
          ensure
79
            disconnect
80
          end
81

82
          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
83
        end
84
      end
85
    end
86
  end
87
end
88

89