CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/metasploit/framework/login_scanner/vmauthd.rb
Views: 1904
require 'metasploit/framework/login_scanner/base'1require 'metasploit/framework/login_scanner/rex_socket'2require 'metasploit/framework/tcp/client'34module Metasploit5module Framework6module LoginScanner78# This is the LoginScanner class for dealing with vmware-auth.9# It is responsible for taking a single target, and a list of credentials10# and attempting them. It then saves the results.11class VMAUTHD12include Metasploit::Framework::LoginScanner::Base13include Metasploit::Framework::LoginScanner::RexSocket14include Metasploit::Framework::Tcp::Client1516DEFAULT_PORT = 90217LIKELY_PORTS = [ DEFAULT_PORT, 903, 912 ]18LIKELY_SERVICE_NAMES = [ 'vmauthd', 'vmware-auth' ]19PRIVATE_TYPES = [ :password ]20REALM_KEY = nil2122# This method attempts a single login with a single credential against the target23# @param credential [Credential] The credential object to attempt to login with24# @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object25def attempt_login(credential)26result_options = {27credential: credential,28status: Metasploit::Model::Login::Status::INCORRECT,29proof: nil,30host: host,31port: port,32service_name: 'vmauthd',33protocol: 'tcp'34}3536disconnect if self.sock3738begin39connect40select([sock], nil, nil, 0.4)4142# Check to see if we received an OK?43result_options[:proof] = sock.get_once44if result_options[:proof] && result_options[:proof][/^220 VMware Authentication Daemon Version.*/]45# Switch to SSL if required46swap_sock_plain_to_ssl(sock) if result_options[:proof] && result_options[:proof][/SSL/]4748# If we received an OK we should send the USER49sock.put("USER #{credential.public}\r\n")50result_options[:proof] = sock.get_once5152if result_options[:proof] && result_options[:proof][/^331.*/]53# If we got an OK after the username we can send the PASS54sock.put("PASS #{credential.private}\r\n")55result_options[:proof] = sock.get_once5657if result_options[:proof] && result_options[:proof][/^230.*/]58# if the pass gives an OK, we're good to go59result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL60end61end62end6364rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e65result_options.merge!(66proof: e.message,67status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT68)69end7071disconnect if self.sock7273Result.new(result_options)74end7576private7778# (see Base#set_sane_defaults)79def set_sane_defaults80self.connection_timeout ||= 3081self.port ||= DEFAULT_PORT82self.max_send_size ||= 083self.send_delay ||= 084end8586def swap_sock_plain_to_ssl(nsock=self.sock)87ctx = generate_ssl_context88ssl = OpenSSL::SSL::SSLSocket.new(nsock, ctx)8990ssl.connect9192nsock.extend(Rex::Socket::SslTcp)93nsock.sslsock = ssl94nsock.sslctx = ctx95end9697def generate_ssl_context98ctx = OpenSSL::SSL::SSLContext.new(:SSLv3)99@@cached_rsa_key ||= OpenSSL::PKey::RSA.new(1024){}100101ctx.key = @@cached_rsa_key102103ctx.session_id_context = Rex::Text.rand_text(16)104105ctx106end107end108109end110end111end112113114