Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/lib/msf/core/auxiliary/cisco.rb
Views: 11784
# -*- coding: binary -*-12module Msf3###4#5# This module provides methods for working with Cisco equipment6#7###8module Auxiliary::Cisco9include Msf::Auxiliary::Report1011def cisco_ios_decrypt7(inp)12xlat = [130x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,140x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,150x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53,160x55, 0x4217]1819return nil if !(inp[0, 2] =~ /\d\d/)2021seed = nil22clear = ''23inp.scan(/../).each do |byte|24if !seed25seed = byte.to_i26next27end28byte = byte.to_i(16)29clear << [ byte ^ xlat[seed]].pack('C')30seed += 131end32clear33end3435def cisco_ios_config_eater(thost, tport, config)3637if framework.db.active38credential_data = {39address: thost,40port: tport,41protocol: 'tcp',42workspace_id: myworkspace_id,43origin_type: :service,44private_type: :password,45service_name: '',46module_fullname: fullname,47status: Metasploit::Model::Login::Status::UNTRIED48}49end5051# Default SNMP to UDP52if tport == 16153credential_data[:protocol] = 'udp'54end5556store_loot('cisco.ios.config', 'text/plain', thost, config.strip, 'config.txt', 'Cisco IOS Configuration')5758tuniface = nil5960host_info = {61host: thost,62os_name: 'Cisco IOS'63}64report_host(host_info)6566config.each_line do |line|67case line68#69# Cover host details70#71when /^version (\d\d\.\d)/i72host_info[:os_flavor] = Regexp.last_match(1).to_s73report_host(host_info)74when /^hostname (\S+)/i75host_info[:name] = Regexp.last_match(1).to_s76report_host(host_info)77#78# Enable passwords79#80when /^\s*enable (password|secret) (\d+) (.*)/i81stype = Regexp.last_match(2).to_i82shash = Regexp.last_match(3).strip8384if framework.db.active85cred = credential_data.dup86cred[:private_data] = shash87else88cred = {} # throw away89end9091case stype92when 593print_good("#{thost}:#{tport} MD5 Encrypted Enable Password: #{shash}")94cred[:jtr_format] = 'md5'95cred[:private_type] = :nonreplayable_hash96create_credential_and_login(cred) if framework.db.active97when 0 # unencrypted98print_good("#{thost}:#{tport} Enable Password: #{shash}")99create_credential_and_login(cred) if framework.db.active100when 7101shash = begin102cisco_ios_decrypt7(shash)103rescue StandardError104shash105end106print_good("#{thost}:#{tport} Decrypted Enable Password: #{shash}")107cred[:private_data] = shash108create_credential_and_login(cred) if framework.db.active109end110111when /^\s*enable password (.*)/i112spass = Regexp.last_match(1).strip113print_good("#{thost}:#{tport} Unencrypted Enable Password: #{spass}")114115if framework.db.active116cred = credential_data.dup117cred[:private_data] = spass118create_credential_and_login(cred)119end120121#122# SNMP123#124when /^\s*snmp-server community ([^\s]+) (RO|RW)/i125stype = Regexp.last_match(2).strip126scomm = Regexp.last_match(1).strip127print_good("#{thost}:#{tport} SNMP Community (#{stype}): #{scomm}")128129cred = credential_data.dup130cred[:access_level] = stype.upcase131cred[:protocol] = "udp"132cred[:port] = 161133cred[:private_data] = scomm134create_credential_and_login(cred)135#136# VTY Passwords137#138when /^\s*password 7 ([^\s]+)/i139spass = Regexp.last_match(1).strip140spass = begin141cisco_ios_decrypt7(spass)142rescue StandardError143spass144end145146print_good("#{thost}:#{tport} Decrypted VTY Password: #{spass}")147148if framework.db.active149cred = credential_data.dup150cred[:private_data] = spass151create_credential_and_login(cred)152end153154when /^\s*(password|secret) 5 (.*)/i155shash = Regexp.last_match(2).strip156print_good("#{thost}:#{tport} MD5 Encrypted VTY Password: #{shash}")157if framework.db.active158cred = credential_data.dup159cred[:jtr_format] = 'md5'160cred[:private_data] = shash161cred[:private_type] = :nonreplayable_hash162create_credential_and_login(cred)163end164165when /^\s*password (0 |)([^\s]+)/i166spass = Regexp.last_match(2).strip167print_good("#{thost}:#{tport} Unencrypted VTY Password: #{spass}")168169if framework.db.active170cred = credential_data.dup171cred[:private_data] = spass172create_credential_and_login(cred)173end174175#176# WiFi Passwords177#178when /^\s*encryption key \d+ size \d+bit (\d+) ([^\s]+)/179spass = Regexp.last_match(2).strip180print_good("#{thost}:#{tport} Wireless WEP Key: #{spass}")181182when /^\s*wpa-psk (ascii|hex) (\d+) ([^\s]+)/i183184stype = Regexp.last_match(2).to_i185spass = Regexp.last_match(3).strip186187if framework.db.active188cred = credential_data.dup189cred[:private_data] = spass190else191cred = {} # throw away192end193194case stype195when 5196print_good("#{thost}:#{tport} Wireless WPA-PSK MD5 Password Hash: #{spass}")197cred[:jtr_format] = 'md5'198cred[:private_type] = :nonreplayable_hash199create_credential_and_login(cred) if framework.db.active200when 0201print_good("#{thost}:#{tport} Wireless WPA-PSK Password: #{spass}")202create_credential_and_login(cred) if framework.db.active203when 7204spass = begin205cisco_ios_decrypt7(spass)206rescue StandardError207spass208end209print_good("#{thost}:#{tport} Wireless WPA-PSK Decrypted Password: #{spass}")210cred[:private_data] = spass211create_credential_and_login(cred) if framework.db.active212end213214#215# VPN Passwords216#217when /^\s*crypto isakmp key ([^\s]+) address ([^\s]+)/i218spass = Regexp.last_match(1)219shost = Regexp.last_match(2)220221print_good("#{thost}:#{tport} VPN IPSEC ISAKMP Key '#{spass}' Host '#{shost}'")222if framework.db.active223cred = credential_data.dup224cred[:private_data] = spass225cred[:private_type] = :nonreplayable_hash226create_credential_and_login(cred)227end228229when /^\s*interface tunnel(\d+)/i230tuniface = Regexp.last_match(1)231232when /^\s*tunnel key ([^\s]+)/i233spass = Regexp.last_match(1)234siface = tuniface235236print_good("#{thost}:#{tport} GRE Tunnel Key #{spass} for Interface Tunnel #{siface}")237if framework.db.active238cred = credential_data.dup239cred[:private_data] = spass240cred[:private_type] = :nonreplayable_hash241create_credential_and_login(cred)242end243244when /^\s*ip nhrp authentication ([^\s]+)/i245spass = Regexp.last_match(1)246siface = tuniface247248print_good("#{thost}:#{tport} NHRP Authentication Key #{spass} for Interface Tunnel #{siface}")249if framework.db.active250cred = credential_data.dup251cred[:private_data] = spass252cred[:private_type] = :nonreplayable_hash253create_credential_and_login(cred)254end255256#257# Various authentication secrets258#259when /^\s*username ([^\s]+) privilege (\d+) (secret|password) (\d+) ([^\s]+)/i260user = Regexp.last_match(1)261priv = Regexp.last_match(2)262stype = Regexp.last_match(4).to_i263spass = Regexp.last_match(5)264265if framework.db.active266cred = credential_data.dup267cred[:username] = user.to_s268cred[:private_data] = spass269else270cred = {} # throw away271end272273case stype274when 5275print_good("#{thost}:#{tport} Username '#{user}' with MD5 Encrypted Password: #{spass}")276cred[:jtr_format] = 'md5'277cred[:private_type] = :nonreplayable_hash278create_credential_and_login(cred) if framework.db.active279when 0280print_good("#{thost}:#{tport} Username '#{user}' with Password: #{spass}")281create_credential_and_login(cred) if framework.db.active282when 7283spass = begin284cisco_ios_decrypt7(spass)285rescue StandardError286spass287end288print_good("#{thost}:#{tport} Username '#{user}' with Decrypted Password: #{spass}")289cred[:private_data] = spass290create_credential_and_login(cred) if framework.db.active291end292293# This regex captures ephones from Cisco Unified Communications Manager Express (CUE) which come in forms like:294# username "phonefour" password 444444295# username test password test296# This is used for the voicemail system297when /^\s*username "?([\da-z]+)"? password ([^\s]+)/i298user = Regexp.last_match(1)299spass = Regexp.last_match(2)300print_good("#{thost}:#{tport} ePhone Username '#{user}' with Password: #{spass}")301if framework.db.active302cred = credential_data.dup303cred[:username] = user.to_s304cred[:private_data] = spass305create_credential_and_login(cred)306end307308when /^\s*username ([^\s]+) (secret|password) (\d+) ([^\s]+)/i309user = Regexp.last_match(1)310stype = Regexp.last_match(3).to_i311spass = Regexp.last_match(4)312313if framework.db.active314cred = credential_data.dup315cred[:username] = user.to_s316cred[:private_data] = spass317else318cred = {}319end320321case stype322when 5323print_good("#{thost}:#{tport} Username '#{user}' with MD5 Encrypted Password: #{spass}")324cred[:jtr_format] = 'md5'325cred[:private_type] = :nonreplayable_hash326create_credential_and_login(cred) if framework.db.active327when 0328print_good("#{thost}:#{tport} Username '#{user}' with Password: #{spass}")329create_credential_and_login(cred) if framework.db.active330when 7331spass = begin332cisco_ios_decrypt7(spass)333rescue StandardError334spass335end336print_good("#{thost}:#{tport} Username '#{user}' with Decrypted Password: #{spass}")337cred[:private_data] = spass338create_credential_and_login(cred) if framework.db.active339end340341# https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/command/reference/cme_cr/cme_cr_chapter_010101.html#wp3722577363342when /^\s*web admin (customer|system) name ([^\s]+) (secret [0|5]|password) ([^\s]+)/i343login = Regexp.last_match(1)344suser = Regexp.last_match(2)345stype = Regexp.last_match(3)346spass = Regexp.last_match(4)347348if framework.db.active349cred = credential_data.dup350cred[:username] = suser.to_s351cred[:private_data] = spass352else353cred = {}354end355356case stype357when 'secret 5'358print_good("#{thost}:#{tport} Web Admin Username: #{suser} Type: #{login} MD5 Encrypted Password: #{spass}")359cred[:jtr_format] = 'md5'360cred[:private_type] = :nonreplayable_hash361create_credential_and_login(cred) if framework.db.active362when 'secret 0', 'password'363print_good("#{thost}:#{tport} Web Username: #{suser} Type: #{login} Password: #{spass}")364create_credential_and_login(cred) if framework.db.active365end366367when /^\s*ppp.*username ([^\s]+) (secret|password) (\d+) ([^\s]+)/i368369suser = Regexp.last_match(1)370stype = Regexp.last_match(3).to_i371spass = Regexp.last_match(4)372373if framework.db.active374cred = credential_data.dup375cred[:username] = suser.to_s376cred[:private_data] = spass377else378cred = {}379end380381case stype382when 5383print_good("#{thost}:#{tport} PPP Username #{suser} MD5 Encrypted Password: #{spass}")384cred[:jtr_format] = 'md5'385cred[:private_type] = :nonreplayable_hash386create_credential_and_login(cred) if framework.db.active387when 0388print_good("#{thost}:#{tport} PPP Username: #{suser} Password: #{spass}")389create_credential_and_login(cred) if framework.db.active390when 7391spass = begin392cisco_ios_decrypt7(spass)393rescue StandardError394spass395end396print_good("#{thost}:#{tport} PPP Username: #{suser} Decrypted Password: #{spass}")397cred[:private_data] = spass398create_credential_and_login(cred) if framework.db.active399end400401when /^\s*ppp chap (secret|password) (\d+) ([^\s]+)/i402stype = Regexp.last_match(2).to_i403spass = Regexp.last_match(3)404405if framework.db.active406cred = credential_data.dup407cred[:private_data] = spass408else409cred = {}410end411412case stype413when 5414print_good("#{thost}:#{tport} PPP CHAP MD5 Encrypted Password: #{spass}")415cred[:jtr_format] = 'md5'416cred[:private_type] = :nonreplayable_hash417create_credential_and_login(cred) if framework.db.active418when 0419print_good("#{thost}:#{tport} Password: #{spass}")420create_credential_and_login(cred) if framework.db.active421when 7422spass = begin423cisco_ios_decrypt7(spass)424rescue StandardError425spass426end427print_good("#{thost}:#{tport} PPP Decrypted Password: #{spass}")428cred[:private_data] = spass429create_credential_and_login(cred) if framework.db.active430end431end432end433end434end435end436437438