CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/msf/core/auxiliary/f5.rb
Views: 1904
# -*- coding: binary -*-12module Msf3###4#5# This module provides methods for working with F5 equipment6#7###8module Auxiliary::F59include Msf::Auxiliary::Report1011def f5_config_eater(thost, tport, config, store = true)1213credential_data = {14address: thost,15port: tport,16protocol: 'tcp',17workspace_id: myworkspace_id,18origin_type: :service,19private_type: :nonreplayable_hash,20# https://support.f5.com/csp/article/K6508100121jtr_format: 'sha512,crypt', # default on the devices 11.4.0+22service_name: '',23module_fullname: fullname,24status: Metasploit::Model::Login::Status::UNTRIED25}2627# Default SNMP to UDP28if tport == 16129credential_data[:protocol] = 'udp'30end3132if store33store_loot('f5.config', 'text/plain', thost, config.strip, 'config.txt', 'F5 Configuration')34end3536host_info = {37host: thost,38os_name: 'F5'39}40report_host(host_info)4142# generated by: tmsh list auth user4344# auth user admin {45# description "Admin User"46# encrypted-password $6$4FAWSZLi$VeSaxPM2/D1JOhMRN/GMkt5wHcbIVKaIC2g765ZD0VA9ZEEm8iyK40/ncGrZIGyJyJF4ivkScNZ59HWAIKMML/47# partition Common48# partition-access {49# all-partitions {50# role admin51# }52# }53# shell none54# }5556config.scan(%r{auth user ([^ ]+) {\s*description "?([^\n"]+)"?\n\s*encrypted-password ([$\w\+\./]+)\n[\w\s\-{}]+\s+shell (tmsh|bash|none)\n}}mi).each do |result|57username = result[0].strip58description = result[1].strip59hash = result[2].strip60shell = result[3].strip61cred = credential_data.dup62cred[:username] = username63cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(hash)64cred[:private_data] = hash65create_credential_and_login(cred)66print_good("#{thost}:#{tport} Username '#{username}' with description '#{description}' and shell #{shell} with hash #{hash}")67end6869# generated by: tmsh list sys snmp communities7071# sys snmp {72# communities {73# comm-public {74# community-name public75# source default76# }77# ro {78# community-name rocommunity79# }80# rw {81# access rw82# community-name rwcommunity83# }84# }85# }8687config.scan(/(?:(access rw)?\n)\s+community-name (\w+)/).each do |result|88if result[0].nil?89access = 'RO'90else91access = 'RW'92end93cred = credential_data.dup94cred[:port] = 16195cred[:protocol] = 'udp'96cred[:service_name] = 'snmp'97cred[:jtr_format] = ''98cred[:private_data] = result[1].strip99cred[:private_type] = :password100cred[:access_level] = access101create_credential_and_login(cred)102print_good("#{thost}:#{tport} SNMP Community '#{result[1].strip}' with #{access} access")103end104105# generated by: cat /config/bigip.conf106107# cm device /Common/f5bigip.ragegroup.com {108# active-modules { "BIG-IP, VE Trial|VTFAAAA-AAAAAAA|Rate Shaping|External Interface and Network HSM, VE|SDN Services, VE|SSL, Forward Proxy, VE|BIG-IP VE, Multicast Routing|APM, Limited|SSL, VE|DNS (1K QPS), VE|Routing Bundle, VE|ASM, VE|Crytpo Offload, VE, Tier 1 (25M - 200M)|Max Compression, VE|AFM, VE|DNSSEC|Anti-Virus Checks|Base Endpoint Security Checks|Firewall Checks|Network Access|Secure Virtual Keyboard|APM, Web Application|Machine Certificate Checks|Protected Workspace|Remote Desktop|App Tunnel|VE, Carrier Grade NAT (AFM ONLY)|PSM, VE" }109# base-mac 00:11:11:a1:a1:a1110# build 0.0.9111# cert /Common/dtdi.crt112# chassis-id 164aaf79-aace-3494-1237671446c7113# configsync-ip 10.10.10.222114# edition "Point Release 2"115# hostname f5bigip.home.com116# key /Common/dtdi.key117# management-ip 1.1.1.1118# marketing-name "BIG-IP Virtual Edition"119# platform-id Z100120# product BIG-IP121# self-device true122# time-zone America/Los_Angeles123# version 15.1.0.2124# }125126if /^cm device (?<content>.+)}$/m =~ config127if /hostname (?<hostname>[\w\.-]+)$/i =~ content128print_good("#{thost}:#{tport} Hostname: #{hostname}")129host_info[:name] = hostname130report_host(host_info)131end132if /base-mac (?<mac>[\d:a-f]+)$/i =~ content133print_good("#{thost}:#{tport} MAC Address: #{mac}")134host_info[:mac] = mac135report_host(host_info)136end137if /management-ip (?<ip>[\d\.]+)$/ =~ content138print_good("#{thost}:#{tport} Management IP: #{ip}")139end140if /product (?<product>[\w-]+)$/i =~ content141print_good("#{thost}:#{tport} Product #{product}")142host_info[:os_name] = "F5 #{product}"143report_host(host_info)144end145if /version (?<version>[\d\.]+)$/i =~ content146print_good("#{thost}:#{tport} OS Version: #{version}")147host_info[:os_flavor] = version148report_host(host_info)149end150end151152# generated by: cat /config/bigip.conf153154# sys file ssl-key /Common/f5_api_com.key {155# cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:f5_api_com.key_63086_1156# passphrase $M$iE$cIdy72xi7Xbk3kazSrpdfscd+oD1pdsXJbwhvhMPiss4Iw0RKIJQS/CuSReZl/+kseKpPCNpBWNWOOaBCwlQ0v4sl7ZUkxCymh5pfFNAjhc=157# revision 1158# source-path file:///config/ssl/ssl.key/f5_api_com.key159# }160config.scan(%r{^sys file ssl-key (.+) \{.+passphrase ([$\w/\+=]+).+source-path file://([\w/\.]+)}mi).each do |result|161username = result[0].strip # its not really a username, but we'll leave it as is since its a common name162hash = result[1].strip163file = result[2].strip164cred = credential_data.dup165cred[:username] = username166cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(hash)167cred[:private_data] = hash168create_credential_and_login(cred)169print_good("#{thost}:#{tport} SSL Key '#{username}' and hash #{hash} for #{file}")170end171172# generated by tmsh show sys crypto master-key173174# --------------------------------------------------------------------------------175# Sys::Master-Key176# --------------------------------------------------------------------------------177# master-key hash <EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==>178# previous hash <EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==>179180config.scan(%r{(master-key|previous) hash\s+<([\w\+/=]+)>}i). each do |result|181key_type = result[0].strip182key = result[1].strip183cred = credential_data.dup184cred[:username] = "F5 #{key_type} hash"185cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(key) # will come bacy empty186cred[:private_data] = key187create_credential_and_login(cred)188print_good("#{thost}:#{tport} F5 #{key_type} hash #{key}")189end190191end192end193end194195196