CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
# -*- coding: binary -*-
2

3
module Msf
4
  ###
5
  #
6
  # This module provides methods for working with Juniper equipment
7
  #
8
  ###
9
  module Auxiliary::Juniper
10
    include Msf::Auxiliary::Report
11

12
    def juniper_screenos_config_eater(thost, tport, config)
13
      # this is for the netscreen OS, which came on SSG (ie SSG5) type devices.
14
      # It is similar to cisco, however it doesn't always put all fields we care
15
      # about on one line.
16
      # Docs: snmp -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB4223
17
      #       ppp  -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB22592
18
      #       ike  -> https://kb.juniper.net/KB4147
19
      #       https://github.com/h00die/MSF-Testing-Scripts/blob/master/juniper_strings.py#L171
20

21
      report_host({
22
        host: thost,
23
        os_name: 'Juniper ScreenOS'
24
      })
25

26
      if framework.db.active
27
        credential_data = {
28
          address: thost,
29
          port: tport,
30
          protocol: 'tcp',
31
          workspace_id: myworkspace_id,
32
          origin_type: :service,
33
          service_name: '',
34
          private_type: :nonreplayable_hash,
35
          module_fullname: fullname,
36
          status: Metasploit::Model::Login::Status::UNTRIED
37
        }
38
      end
39

40
      store_loot('juniper.netscreen.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper Netscreen Configuration')
41

42
      # admin name and password
43
      # Example lines:
44
      # set admin name "netscreen"
45
      # set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
46
      config.scan(/set admin name "(?<admin_name>[a-z0-9]+)".+set admin password "(?<admin_password_hash>[a-z0-9]+)"/mi).each do |result|
47
        admin_name = result[0].strip
48
        admin_hash = result[1].strip
49
        print_good("Admin user #{admin_name} found with password hash #{admin_hash}")
50
        next unless framework.db.active
51

52
        cred = credential_data.dup
53
        cred[:username] = admin_name
54
        cred[:private_data] = admin_hash
55
        create_credential_and_login(cred)
56
      end
57

58
      # user account
59
      # Example lines:
60
      # set user "testuser" uid 1
61
      # set user "testuser" type auth
62
      # set user "testuser" hash-password "02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE="
63
      # set user "testuser" enable
64
      config.scan(/set user "(?<user_name>[a-z0-9]+)" uid (?<user_uid>\d+).+set user "\k<user_name>" type (?<user_type>\w+).+set user "\k<user_name>" hash-password "(?<user_hash>[0-9a-z=]{38})".+set user "\k<user_name>" (?<user_enable>enable).+/mi).each do |result|
65
        user_name = result[0].strip
66
        user_uid = result[1].strip
67
        user_enable = result[4].strip
68
        user_hash = result[3].strip
69
        print_good("User #{user_uid} named #{user_name} found with password hash #{user_hash}. Enable permission: #{user_enable}")
70
        next unless framework.db.active
71

72
        cred = credential_data.dup
73
        cred[:username] = user_name
74
        cred[:jtr_format] = 'sha1'
75
        cred[:private_data] = user_hash
76
        create_credential_and_login(cred)
77
      end
78

79
      # snmp
80
      # Example lines:
81
      # set snmp community "sales" Read-Write Trap-on traffic version v1
82
      config.scan(/set snmp community "(?<snmp_community>[a-z0-9]+)" (?<snmp_permissions>Read-Write|Read-Only)/i).each do |result|
83
        snmp_community = result[0].strip
84
        snmp_permissions = result[1].strip
85
        print_good("SNMP community #{snmp_community} with permissions #{snmp_permissions}")
86
        next unless framework.db.active
87

88
        cred = credential_data.dup
89
        if snmp_permissions.downcase == 'read-write'
90
          cred[:access_level] = 'RW'
91
        else
92
          cred[:access_level] = 'RO'
93
        end
94
        cred[:protocol] = 'udp'
95
        cred[:port] = 161
96
        cred[:service_name] = 'snmp'
97
        cred[:private_data] = snmp_community
98
        cred[:private_type] = :password
99
        create_credential_and_login(cred)
100
      end
101

102
      # ppp
103
      # Example lines:
104
      # setppp profile "ISP" auth type pap
105
      # setppp profile "ISP" auth local-name "username"
106
      # setppp profile "ISP" auth secret "fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA=="
107
      config.scan(/setppp profile "(?<ppp_name>[a-z0-9]+)" auth type (?<ppp_authtype>[a-z]+).+setppp profile "\k<ppp_name>" auth local-name "(?<ppp_username>[a-z0-9]+)".+setppp profile "\k<ppp_name>" auth secret "(?<ppp_hash>.+)"/mi).each do |result|
108
        ppp_name = result[0].strip
109
        ppp_username = result[2].strip
110
        ppp_hash = result[3].strip
111
        ppp_authtype = result[1].strip
112
        print_good("PPTP Profile #{ppp_name} with username #{ppp_username} hash #{ppp_hash} via #{ppp_authtype}")
113
        next unless framework.db.active
114

115
        cred = credential_data.dup
116
        cred[:username] = ppp_username
117
        cred[:private_data] = ppp_hash
118
        cred[:service_name] = 'pptp'
119
        cred[:port] = 1723
120
        create_credential_and_login(cred)
121
      end
122

123
      # ike
124
      # Example lines:
125
      # set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
126
      config.scan(/set ike gateway "(?<ike_name>.+)" address (?<ike_address>[0-9.]+) Main outgoing-interface ".+" preshare "(?<ike_password>.+)" proposal "(?<ike_method>.+)"/i).each do |result|
127
        ike_name = result[0].strip
128
        ike_address = result[1].strip
129
        ike_password = result[2].strip
130
        ike_method = result[3].strip
131
        print_good("IKE Profile #{ike_name} to #{ike_address} with password #{ike_password} via #{ike_method}")
132
        next unless framework.db.active
133

134
        cred = credential_data.dup
135
        cred[:private_data] = ike_password
136
        cred[:private_type] = :password
137
        cred[:service_name] = 'ike'
138
        cred[:port] = 500
139
        cred[:address] = ike_address
140
        cred[:protocol] = 'udp'
141
        create_credential_and_login(cred)
142
      end
143
    end
144

145
    def juniper_junos_config_eater(thost, tport, config)
146
      report_host({
147
        host: thost,
148
        os_name: 'Juniper JunOS'
149
      })
150

151
      if framework.db.active
152
        credential_data = {
153
          address: thost,
154
          port: tport,
155
          protocol: 'tcp',
156
          workspace_id: myworkspace_id,
157
          origin_type: :service,
158
          private_type: :nonreplayable_hash,
159
          service_name: '',
160
          module_fullname: fullname,
161
          status: Metasploit::Model::Login::Status::UNTRIED
162
        }
163
      end
164

165
      store_loot('juniper.junos.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper JunOS Configuration')
166

167
      # we'll take out the pretty format so its easier to regex
168
      config = config.split("\n").join('')
169

170
      # Example:
171
      # system {
172
      #  root-authentication {
173
      #    encrypted-password "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E."; ## SECRET-DATA
174
      #  }
175
      # }
176
      if /root-authentication\s+\{\s+encrypted-password "(?<root_hash>[^"]+)";/i =~ config
177
        root_hash = root_hash.strip
178
        jtr_format = Metasploit::Framework::Hashes.identify_hash root_hash
179

180
        print_good("root password hash: #{root_hash}")
181
        if framework.db.active
182
          cred = credential_data.dup
183
          cred[:username] = 'root'
184
          cred[:jtr_format] = jtr_format
185
          cred[:private_data] = root_hash
186
          create_credential_and_login(cred)
187
        end
188
      end
189

190
      # access privileges https://kb.juniper.net/InfoCenter/index?page=content&id=KB10902
191
      config.scan(/user (?<user_name>[^\s]+) {(\s+ full-name (?<fullname>[^;]+);)?\s+ uid (?<user_uid>\d+);\s+ class (?<user_permission>super-user|operator|read-only|unauthorized|[^;]+);\s+ authentication {\s+encrypted-password "(?<user_hash>[^\s]+)";/i).each do |result|
192
        user_name = result[0].strip
193
        user_uid = result[2].strip
194
        user_permission = result[3].strip
195
        user_hash = result[4].strip
196
        jtr_format = Metasploit::Framework::Hashes.identify_hash user_hash
197

198
        print_good("User #{user_uid} named #{user_name} in group #{user_permission} found with password hash #{user_hash}.")
199
        next unless framework.db.active
200

201
        cred = credential_data.dup
202
        cred[:username] = user_name
203
        cred[:jtr_format] = jtr_format
204
        cred[:private_data] = user_hash
205
        create_credential_and_login(cred)
206
      end
207

208
      # https://supportf5.com/csp/article/K6449 special characters allowed in snmp community strings
209
      config.scan(%r{community "?(?<snmp_community>[\w\d\s().*/-:_?=@,&%$+!]+)"? \{(\s+view [\w\-]+;)?\s+authorization read-(?<snmp_permission>only|write)}i).each do |result|
210
        snmp_community = result[0].strip
211
        snmp_permissions = result[1].strip
212
        print_good("SNMP community #{snmp_community} with permissions read-#{snmp_permissions}")
213
        next unless framework.db.active
214

215
        cred = credential_data.dup
216
        if snmp_permissions.downcase == 'write'
217
          cred[:access_level] = 'RW'
218
        else
219
          cred[:access_level] = 'RO'
220
        end
221
        cred[:protocol] = 'udp'
222
        cred[:port] = 161
223
        cred[:private_data] = snmp_community
224
        cred[:private_type] = :password
225
        cred[:service_name] = 'snmp'
226
        create_credential_and_login(cred)
227
      end
228

229
      # radius-server
230
      config.scan(/\s*radius-server \{([^}]+)\}/i).each do |result_block|
231
        result_block[0].strip.scan(/(?<radius_server>[0-9.]{7,15}) secret "(?<radius_hash>[^"]+)";/i).each do |result|
232
          radius_hash = result[1].strip
233
          radius_server = result[0].strip
234
          print_good("radius server #{radius_server} password hash: #{radius_hash}")
235
          next unless framework.db.active
236

237
          cred = credential_data.dup
238
          cred[:address] = radius_server
239
          cred[:port] = 1812
240
          cred[:protocol] = 'udp'
241
          cred[:private_data] = radius_hash
242
          cred[:service_name] = 'radius'
243
          create_credential_and_login(cred)
244
        end
245
      end
246

247
      # tacplus-server
248
      config.scan(/\s*tacplus-server \{([^}]+)\}/i).each do |result_block|
249
        result_block[0].strip.scan(/(?<tacplus_server>[0-9.]{7,15}) secret "(?<hash>[^"]+)";/i).each do |result|
250
          ip = result[0].strip
251
          hash = result[1].strip
252
          jtr_format = Metasploit::Framework::Hashes.identify_hash hash
253
          print_good("tacplus server #{ip} with password hash #{hash}")
254
          next unless framework.db.active
255

256
          cred = credential_data.dup
257
          cred[:jtr_format] = jtr_format
258
          cred[:private_data] = hash
259
          create_credential_and_login(cred)
260
        end
261
      end
262

263
      config.scan(/pap {\s+local-name "(?<ppp_username>.+)";\s+local-password "(?<ppp_hash>[^"]+)";/i).each do |result|
264
        ppp_username = result[0].strip
265
        ppp_hash = result[1].strip
266
        print_good("PPTP username #{ppp_username} hash #{ppp_hash} via PAP")
267
        next unless framework.db.active
268

269
        cred = credential_data.dup
270
        cred[:username] = ppp_username
271
        cred[:private_data] = ppp_hash
272
        cred[:service_name] = 'pptp'
273
        cred[:port] = 1723
274
        create_credential_and_login(cred)
275
      end
276
    end
277
  end
278
end
279

280