CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
# -*- coding: binary -*-
2

3
module Msf
4
  ###
5
  #
6
  # This module provides methods for working with Brocade equipment
7
  #
8
  ###
9
  module Auxiliary::Brocade
10
    include Msf::Auxiliary::Report
11

12
    def create_credential_and_login(opts = {})
13
      return nil unless active_db?
14

15
      if respond_to?(:[]) && self[:task]
16
        opts[:task_id] ||= self[:task].record.id
17
      end
18

19
      core = opts.fetch(:core, create_credential(opts))
20
      access_level = opts.fetch(:access_level, nil)
21
      last_attempted_at = opts.fetch(:last_attempted_at, nil)
22
      status = opts.fetch(:status, Metasploit::Model::Login::Status::UNTRIED)
23

24
      login_object = nil
25
      retry_transaction do
26
        service_object = create_credential_service(opts)
27
        login_object = Metasploit::Credential::Login.where(core_id: core.id, service_id: service_object.id).first_or_initialize
28

29
        if opts[:task_id]
30
          login_object.tasks << Mdm::Task.find(opts[:task_id])
31
        end
32

33
        login_object.access_level = access_level if access_level
34
        login_object.last_attempted_at = last_attempted_at if last_attempted_at
35
        if status == Metasploit::Model::Login::Status::UNTRIED
36
          if login_object.last_attempted_at.nil?
37
            login_object.status = status
38
          end
39
        else
40
          login_object.status = status
41
        end
42
        login_object.save!
43
      end
44

45
      login_object
46
    end
47

48
    def brocade_config_eater(thost, tport, config)
49
      # this is for brocade type devices.
50
      # It is similar to cisco
51
      # Docs: enable password-display -> http://wwwaem.brocade.com/content/html/en/command-reference-guide/fastiron-08040-commandref/GUID-169889CD-1A74-4A23-AC78-38796692374F.html
52

53
      if framework.db.active
54
        credential_data = {
55
          address: thost,
56
          port: tport,
57
          protocol: 'tcp',
58
          workspace_id: myworkspace_id,
59
          origin_type: :service,
60
          private_type: :nonreplayable_hash,
61
          service_name: '',
62
          module_fullname: fullname,
63
          status: Metasploit::Model::Login::Status::UNTRIED
64
        }
65
      end
66

67
      store_loot('brocade.config', 'text/plain', thost, config.strip, 'config.txt', 'Brocade Configuration')
68

69
      # Brocade has this one configuration called "password display". With it, we get hashes. With out it, just ...
70
      if config =~ /enable password-display/
71
        print_good('password-display is enabled, hashes will be displayed in config')
72
      else
73
        print_bad('password-display is disabled, no password hashes displayed in config')
74
      end
75

76
      # enable password
77
      # Example lines:
78
      # enable super-user-password 8 $1$QP3H93Wm$uxYAs2HmAK01QiP3ig5tm.
79
      config.scan(/enable super-user-password 8 (?<admin_password_hash>.+)/i).each do |result|
80
        admin_hash = result[0].strip
81
        next if admin_hash == '.....'
82

83
        print_good("enable password hash #{admin_hash}")
84
        next unless framework.db.active
85

86
        cred = credential_data.dup
87
        cred[:username] = 'enable'
88
        cred[:private_data] = admin_hash
89
        create_credential_and_login(cred)
90
      end
91

92
      # user account
93
      # Example lines:
94
      # username brocade password 8 $1$YBaHUWpr$PzeUrP0XmVOyVNM5rYy99/
95
      config.scan(%r{username "?(?<user_name>[a-z0-9]+)"? password (?<user_type>\w+) (?<user_hash>[0-9a-z=\$/\.]{34})}i).each do |result|
96
        user_name = result[0].strip
97
        user_type = result[1].strip
98
        user_hash = result[2].strip
99
        next if user_hash == '.....'
100

101
        print_good("User #{user_name} of type #{user_type} found with password hash #{user_hash}.")
102
        next unless framework.db.active
103

104
        cred = credential_data.dup
105
        cred[:username] = user_name
106
        cred[:private_data] = user_hash
107
        create_credential_and_login(cred)
108
      end
109

110
      # snmp
111
      # Example lines:
112
      # snmp-server community 1 $Si2^=d rw
113
      # these at times look base64 encoded, which they may be, but are also encrypted
114
      config.scan(/snmp-server community (?<snmp_id>[\d]+) (?<snmp_community>.+) (?<snmp_permissions>rw|ro)/i).each do |result|
115
        snmp_community = result[1].strip
116
        snmp_permissions = result[2].strip
117
        next if snmp_community == '.....'
118

119
        print_good("#{'ENCRYPTED ' if snmp_community.start_with?('$')}SNMP community #{snmp_community} with permissions #{snmp_permissions}")
120
        next unless framework.db.active
121

122
        cred = credential_data.dup
123
        cred[:protocol] = 'udp'
124
        cred[:port] = 161
125
        cred[:service_name] = 'snmp'
126
        cred[:private_data] = snmp_community
127
        create_credential_and_login(cred)
128
      end
129

130
    end
131
  end
132
end
133

134