CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/msf/core/auxiliary/arista.rb
Views: 11784
1
# -*- coding: binary -*-

2


3
module Msf

4
  ###

5
  #

6
  # This module provides methods for working with Arista equipment

7
  #

8
  ###

9
  module Auxiliary::Arista

10
    include Msf::Auxiliary::Report

11


12
    def arista_eos_config_eater(thost, tport, config)

13


14
      if framework.db.active

15
        credential_data = {

16
          address: thost,

17
          port: tport,

18
          protocol: 'tcp',

19
          workspace_id: myworkspace_id,

20
          origin_type: :service,

21
          private_type: :nonreplayable_hash,

22
          jtr_format: 'sha512,crypt', # default on the devices

23
          service_name: '',

24
          module_fullname: fullname,

25
          status: Metasploit::Model::Login::Status::UNTRIED

26
        }

27
      end

28


29
      # Default SNMP to UDP

30
      if tport == 161

31
        credential_data[:protocol] = 'udp'

32
      end

33


34
      store_loot('arista.eos.config', 'text/plain', thost, config.strip, 'config.txt', 'Arista EOS Configuration')

35


36
      host_info = {

37
        host: thost,

38
        os_name: 'Arista EOS'

39
      }

40
      report_host(host_info)

41


42
      config.each_line do |line|

43
        case line

44


45
          # one of the first lines

46
          # ! device: aristaveos (vEOS, EOS-4.19.10M)

47
          # ! device: switch (DCS-7150S-64-CL, EOS-4.13.2F)

48
        when /^\s*! device: (.+) \((.+),\s*(.+)-(.+)\)/i

49
          hostname = Regexp.last_match(1).to_s

50
          device = Regexp.last_match(2).to_s

51
          os = Regexp.last_match(3).to_s

52
          os_ver = Regexp.last_match(4).to_s

53
          host_info[:os_name] = os

54
          host_info[:os_flavor] = os_ver

55
          host_info[:name] = hostname

56
          report_host(host_info)

57
          print_good("#{thost}:#{tport} Hostname: #{hostname}, Device: #{device}, OS: #{os}, Version: #{os_ver}")

58
          # https://www.arista.com/en/um-eos/eos-section-6-1-managing-the-switch-name

59
          # hostname aristaveos

60
        when /^\s*hostname (\S+)/i

61
          host_info[:name] = Regexp.last_match(1).to_s

62
          report_host(host_info)

63
          print_good("#{thost}:#{tport} Hostname: #{Regexp.last_match(1)}")

64
          # https://www.arista.com/en/um-eos/eos-section-4-7-aaa-commands#ww1349127

65
          # enable secret sha512 $6$jemN09cUdoLRim6i$Mvl2Fog/VZ7ktxyLSVDR1KnTTTPSMHU3WD.G/kxwgODdsc3d7S1aSNJX/DJmQI3nyrYnEw4lsmoKPGClFJ9hH1

66
        when /^\s*enable secret sha512 (.*)$/i

67
          if framework.db.active

68
            cred = credential_data.dup

69
            cred[:username] = 'enable'

70
            cred[:private_data] = Regexp.last_match(1).to_s

71
            create_credential_and_login(cred)

72
          end

73
          print_good("#{thost}:#{tport} Enable hash: #{Regexp.last_match(1)}")

74
          # https://www.arista.com/en/um-eos/eos-section-43-3-configuring-snmp?searchword=snmp

75
          # snmp-server community read ro

76
          # snmp-server community write rw

77
        when /^\s*snmp-server community ([^\s]+) (RO|RW)/i

78
          stype = Regexp.last_match(2).strip

79
          scomm = Regexp.last_match(1).strip

80
          print_good("#{thost}:#{tport} SNMP Community (#{stype}): #{scomm}")

81


82
          if framework.db.active

83
            cred = credential_data.dup

84
            cred[:access_level] = stype.upcase

85
            cred[:protocol] = 'udp'

86
            cred[:service_name] = 'snmp'

87
            cred[:private_type] = :password

88
            cred[:jtr_format] = ''

89
            cred[:port] = 161

90
            cred[:private_data] = scomm

91
            create_credential_and_login(cred)

92
          end

93
          # https://www.arista.com/en/um-eos/eos-section-4-7-aaa-commands#ww1349963

94
          # username admin privilege 15 role network-admin secret sha512 $6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61

95
          # username bob privilege 15 secret 5 $1$EGQJlod0$CdkMmW1FoiRgMfbLFD/kB/

96
          # username rlaney role network-admin secret 0 ralrox

97
        when /^\s*username ([^\s]+) (?:privilege (\d+) )?(?:role (.+) )?secret (.+) ([^\s]+)/i

98
          name = Regexp.last_match(1).to_s

99
          privilege = Regexp.last_match(2).to_s

100
          role = Regexp.last_match(3).to_s

101
          # for secret, 0=plaintext, 5=md5sum, sha512=sha512

102
          secret = Regexp.last_match(4).to_s

103
          hash = Regexp.last_match(5).to_s

104
          output = "#{thost}:#{tport} Username '#{name}'"

105
          unless privilege.empty?

106
            output << " with privilege #{privilege},"

107
          end

108
          unless role.empty?

109
            output << " Role #{role},"

110
          end

111


112
          if framework.db.active

113
            cred = credential_data.dup

114
          else

115
            cred = {} # throw away, but much less code than constant if statements

116
          end

117


118
          if secret == '0'

119
            output << " and Password: #{hash}"

120
            cred[:private_type] = :password

121
            cred[:jtr_format] = ''

122
          else

123
            output << " and Hash: #{hash}"

124
            cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(hash)

125
          end

126


127
          cred[:username] = name

128
          cred[:private_data] = hash

129


130
          if framework.db.active

131
            create_credential_and_login(cred)

132
          end

133
          print_good(output)

134
          # aaa root secret sha512 $6$Rnanb2dQsVy2H3QL$DEYDZMy6j6KK4XK62Uh.3U3WXxK5XJvn8Zd5sm36T7BVKHS5EmIcQV.EN1X1P1ZO099S0lkxpvEGzA9yK5PQF.

135
        when /^\s*aaa (root) secret (.+) ([^\s]+)/i

136
          name = Regexp.last_match(1).to_s

137
          # for secret, 0=plaintext, 5=md5sum, sha512=sha512

138
          secret = Regexp.last_match(2).to_s

139
          hash = Regexp.last_match(3).to_s

140
          output = "#{thost}:#{tport} AAA Username '#{name}'"

141
          if framework.db.active

142
            cred = credential_data.dup

143
          else

144
            cred = {} # throw away, but much less code than constant if statements

145
          end

146


147
          cred[:username] = name.to_s

148


149
          if secret == '0'

150
            output << " and Password: #{hash}"

151
            cred[:private_type] = :password

152
            cred[:jtr_format] = ''

153
          else

154
            output << " with Hash: #{hash}"

155
            cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(hash)

156
          end

157


158
          cred[:private_data] = hash.to_s

159
          if framework.db.active

160
            create_credential_and_login(cred)

161
          end

162
          print_good(output)

163
        end

164
      end

165
    end

166
  end

167
end

168


169