Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3
module Msf
4
  ###
5
  #
6
  # This module provides methods for working with F5 equipment
7
  #
8
  ###
9
  module Auxiliary::F5
10
    include Msf::Auxiliary::Report
11

12
    def f5_config_eater(thost, tport, config, store = true)
13

14
      credential_data = {
15
        address: thost,
16
        port: tport,
17
        protocol: 'tcp',
18
        workspace_id: myworkspace_id,
19
        origin_type: :service,
20
        private_type: :nonreplayable_hash,
21
        # https://support.f5.com/csp/article/K65081001
22
        jtr_format: 'sha512,crypt', # default on the devices 11.4.0+
23
        service_name: '',
24
        module_fullname: fullname,
25
        status: Metasploit::Model::Login::Status::UNTRIED
26
      }
27

28
      # Default SNMP to UDP
29
      if tport == 161
30
        credential_data[:protocol] = 'udp'
31
      end
32

33
      if store
34
        store_loot('f5.config', 'text/plain', thost, config.strip, 'config.txt', 'F5 Configuration')
35
      end
36

37
      host_info = {
38
        host: thost,
39
        os_name: 'F5'
40
      }
41
      report_host(host_info)
42

43
      # generated by: tmsh list auth user
44

45
      # auth user admin {
46
      #    description "Admin User"
47
      # encrypted-password $6$4FAWSZLi$VeSaxPM2/D1JOhMRN/GMkt5wHcbIVKaIC2g765ZD0VA9ZEEm8iyK40/ncGrZIGyJyJF4ivkScNZ59HWAIKMML/
48
      #    partition Common
49
      #    partition-access {
50
      #        all-partitions {
51
      #            role admin
52
      #        }
53
      #    }
54
      #    shell none
55
      # }
56

57
      config.scan(%r{auth user ([^ ]+) {\s*description "?([^\n"]+)"?\n\s*encrypted-password ([$\w\+\./]+)\n[\w\s\-{}]+\s+shell (tmsh|bash|none)\n}}mi).each do |result|
58
        username = result[0].strip
59
        description = result[1].strip
60
        hash = result[2].strip
61
        shell = result[3].strip
62
        cred = credential_data.dup
63
        cred[:username] = username
64
        cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(hash)
65
        cred[:private_data] = hash
66
        create_credential_and_login(cred)
67
        print_good("#{thost}:#{tport} Username '#{username}' with description '#{description}' and shell #{shell} with hash #{hash}")
68
      end
69

70
      # generated by: tmsh list sys snmp communities
71

72
      # sys snmp {
73
      #    communities {
74
      #        comm-public {
75
      #            community-name public
76
      #            source default
77
      #        }
78
      #        ro {
79
      #            community-name rocommunity
80
      #        }
81
      #        rw {
82
      #            access rw
83
      #            community-name rwcommunity
84
      #        }
85
      #    }
86
      # }
87

88
      config.scan(/(?:(access rw)?\n)\s+community-name (\w+)/).each do |result|
89
        if result[0].nil?
90
          access = 'RO'
91
        else
92
          access = 'RW'
93
        end
94
        cred = credential_data.dup
95
        cred[:port] = 161
96
        cred[:protocol] = 'udp'
97
        cred[:service_name] = 'snmp'
98
        cred[:jtr_format] = ''
99
        cred[:private_data] = result[1].strip
100
        cred[:private_type] = :password
101
        cred[:access_level] = access
102
        create_credential_and_login(cred)
103
        print_good("#{thost}:#{tport} SNMP Community '#{result[1].strip}' with #{access} access")
104
      end
105

106
      # generated by: cat /config/bigip.conf
107

108
      # cm device /Common/f5bigip.ragegroup.com {
109
      #    active-modules { "BIG-IP, VE Trial|VTFAAAA-AAAAAAA|Rate Shaping|External Interface and Network HSM, VE|SDN Services, VE|SSL, Forward Proxy, VE|BIG-IP VE, Multicast Routing|APM, Limited|SSL, VE|DNS (1K QPS), VE|Routing Bundle, VE|ASM, VE|Crytpo Offload, VE, Tier 1 (25M - 200M)|Max Compression, VE|AFM, VE|DNSSEC|Anti-Virus Checks|Base Endpoint Security Checks|Firewall Checks|Network Access|Secure Virtual Keyboard|APM, Web Application|Machine Certificate Checks|Protected Workspace|Remote Desktop|App Tunnel|VE, Carrier Grade NAT (AFM ONLY)|PSM, VE" }
110
      #    base-mac 00:11:11:a1:a1:a1
111
      #    build 0.0.9
112
      #    cert /Common/dtdi.crt
113
      #    chassis-id 164aaf79-aace-3494-1237671446c7
114
      #    configsync-ip 10.10.10.222
115
      #    edition "Point Release 2"
116
      #    hostname f5bigip.home.com
117
      #    key /Common/dtdi.key
118
      #    management-ip 1.1.1.1
119
      #    marketing-name "BIG-IP Virtual Edition"
120
      #    platform-id Z100
121
      #    product BIG-IP
122
      #    self-device true
123
      #    time-zone America/Los_Angeles
124
      #    version 15.1.0.2
125
      # }
126

127
      if /^cm device (?<content>.+)}$/m =~ config
128
        if /hostname (?<hostname>[\w\.-]+)$/i =~ content
129
          print_good("#{thost}:#{tport} Hostname: #{hostname}")
130
          host_info[:name] = hostname
131
          report_host(host_info)
132
        end
133
        if /base-mac (?<mac>[\d:a-f]+)$/i =~ content
134
          print_good("#{thost}:#{tport} MAC Address: #{mac}")
135
          host_info[:mac] = mac
136
          report_host(host_info)
137
        end
138
        if /management-ip (?<ip>[\d\.]+)$/ =~ content
139
          print_good("#{thost}:#{tport} Management IP: #{ip}")
140
        end
141
        if /product (?<product>[\w-]+)$/i =~ content
142
          print_good("#{thost}:#{tport} Product #{product}")
143
          host_info[:os_name] = "F5 #{product}"
144
          report_host(host_info)
145
        end
146
        if /version (?<version>[\d\.]+)$/i =~ content
147
          print_good("#{thost}:#{tport} OS Version: #{version}")
148
          host_info[:os_flavor] = version
149
          report_host(host_info)
150
        end
151
      end
152

153
      # generated by: cat /config/bigip.conf
154

155
      # sys file ssl-key /Common/f5_api_com.key {
156
      #    cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:f5_api_com.key_63086_1
157
      #    passphrase $M$iE$cIdy72xi7Xbk3kazSrpdfscd+oD1pdsXJbwhvhMPiss4Iw0RKIJQS/CuSReZl/+kseKpPCNpBWNWOOaBCwlQ0v4sl7ZUkxCymh5pfFNAjhc=
158
      #    revision 1
159
      #    source-path file:///config/ssl/ssl.key/f5_api_com.key
160
      # }
161
      config.scan(%r{^sys file ssl-key (.+) \{.+passphrase ([$\w/\+=]+).+source-path file://([\w/\.]+)}mi).each do |result|
162
        username = result[0].strip # its not really a username, but we'll leave it as is since its a common name
163
        hash = result[1].strip
164
        file = result[2].strip
165
        cred = credential_data.dup
166
        cred[:username] = username
167
        cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(hash)
168
        cred[:private_data] = hash
169
        create_credential_and_login(cred)
170
        print_good("#{thost}:#{tport} SSL Key '#{username}' and hash #{hash} for #{file}")
171
      end
172

173
      # generated by tmsh show sys crypto master-key
174

175
      # --------------------------------------------------------------------------------
176
      # Sys::Master-Key
177
      # --------------------------------------------------------------------------------
178
      # master-key hash  <EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==>
179
      # previous hash    <EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==>
180

181
      config.scan(%r{(master-key|previous) hash\s+<([\w\+/=]+)>}i). each do |result|
182
        key_type = result[0].strip
183
        key = result[1].strip
184
        cred = credential_data.dup
185
        cred[:username] = "F5 #{key_type} hash"
186
        cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(key) # will come bacy empty
187
        cred[:private_data] = key
188
        create_credential_and_login(cred)
189
        print_good("#{thost}:#{tport} F5 #{key_type} hash #{key}")
190
      end
191

192
    end
193
  end
194
end
195

196