Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/lib/msf/core/auxiliary/juniper.rb
Views: 11784
# -*- coding: binary -*-12module Msf3###4#5# This module provides methods for working with Juniper equipment6#7###8module Auxiliary::Juniper9include Msf::Auxiliary::Report1011def juniper_screenos_config_eater(thost, tport, config)12# this is for the netscreen OS, which came on SSG (ie SSG5) type devices.13# It is similar to cisco, however it doesn't always put all fields we care14# about on one line.15# Docs: snmp -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB422316# ppp -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB2259217# ike -> https://kb.juniper.net/KB414718# https://github.com/h00die/MSF-Testing-Scripts/blob/master/juniper_strings.py#L1711920report_host({21host: thost,22os_name: 'Juniper ScreenOS'23})2425if framework.db.active26credential_data = {27address: thost,28port: tport,29protocol: 'tcp',30workspace_id: myworkspace_id,31origin_type: :service,32service_name: '',33private_type: :nonreplayable_hash,34module_fullname: fullname,35status: Metasploit::Model::Login::Status::UNTRIED36}37end3839store_loot('juniper.netscreen.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper Netscreen Configuration')4041# admin name and password42# Example lines:43# set admin name "netscreen"44# set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"45config.scan(/set admin name "(?<admin_name>[a-z0-9]+)".+set admin password "(?<admin_password_hash>[a-z0-9]+)"/mi).each do |result|46admin_name = result[0].strip47admin_hash = result[1].strip48print_good("Admin user #{admin_name} found with password hash #{admin_hash}")49next unless framework.db.active5051cred = credential_data.dup52cred[:username] = admin_name53cred[:private_data] = admin_hash54create_credential_and_login(cred)55end5657# user account58# Example lines:59# set user "testuser" uid 160# set user "testuser" type auth61# set user "testuser" hash-password "02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE="62# set user "testuser" enable63config.scan(/set user "(?<user_name>[a-z0-9]+)" uid (?<user_uid>\d+).+set user "\k<user_name>" type (?<user_type>\w+).+set user "\k<user_name>" hash-password "(?<user_hash>[0-9a-z=]{38})".+set user "\k<user_name>" (?<user_enable>enable).+/mi).each do |result|64user_name = result[0].strip65user_uid = result[1].strip66user_enable = result[4].strip67user_hash = result[3].strip68print_good("User #{user_uid} named #{user_name} found with password hash #{user_hash}. Enable permission: #{user_enable}")69next unless framework.db.active7071cred = credential_data.dup72cred[:username] = user_name73cred[:jtr_format] = 'sha1'74cred[:private_data] = user_hash75create_credential_and_login(cred)76end7778# snmp79# Example lines:80# set snmp community "sales" Read-Write Trap-on traffic version v181config.scan(/set snmp community "(?<snmp_community>[a-z0-9]+)" (?<snmp_permissions>Read-Write|Read-Only)/i).each do |result|82snmp_community = result[0].strip83snmp_permissions = result[1].strip84print_good("SNMP community #{snmp_community} with permissions #{snmp_permissions}")85next unless framework.db.active8687cred = credential_data.dup88if snmp_permissions.downcase == 'read-write'89cred[:access_level] = 'RW'90else91cred[:access_level] = 'RO'92end93cred[:protocol] = 'udp'94cred[:port] = 16195cred[:service_name] = 'snmp'96cred[:private_data] = snmp_community97cred[:private_type] = :password98create_credential_and_login(cred)99end100101# ppp102# Example lines:103# setppp profile "ISP" auth type pap104# setppp profile "ISP" auth local-name "username"105# setppp profile "ISP" auth secret "fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA=="106config.scan(/setppp profile "(?<ppp_name>[a-z0-9]+)" auth type (?<ppp_authtype>[a-z]+).+setppp profile "\k<ppp_name>" auth local-name "(?<ppp_username>[a-z0-9]+)".+setppp profile "\k<ppp_name>" auth secret "(?<ppp_hash>.+)"/mi).each do |result|107ppp_name = result[0].strip108ppp_username = result[2].strip109ppp_hash = result[3].strip110ppp_authtype = result[1].strip111print_good("PPTP Profile #{ppp_name} with username #{ppp_username} hash #{ppp_hash} via #{ppp_authtype}")112next unless framework.db.active113114cred = credential_data.dup115cred[:username] = ppp_username116cred[:private_data] = ppp_hash117cred[:service_name] = 'pptp'118cred[:port] = 1723119create_credential_and_login(cred)120end121122# ike123# Example lines:124# set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"125config.scan(/set ike gateway "(?<ike_name>.+)" address (?<ike_address>[0-9.]+) Main outgoing-interface ".+" preshare "(?<ike_password>.+)" proposal "(?<ike_method>.+)"/i).each do |result|126ike_name = result[0].strip127ike_address = result[1].strip128ike_password = result[2].strip129ike_method = result[3].strip130print_good("IKE Profile #{ike_name} to #{ike_address} with password #{ike_password} via #{ike_method}")131next unless framework.db.active132133cred = credential_data.dup134cred[:private_data] = ike_password135cred[:private_type] = :password136cred[:service_name] = 'ike'137cred[:port] = 500138cred[:address] = ike_address139cred[:protocol] = 'udp'140create_credential_and_login(cred)141end142end143144def juniper_junos_config_eater(thost, tport, config)145report_host({146host: thost,147os_name: 'Juniper JunOS'148})149150if framework.db.active151credential_data = {152address: thost,153port: tport,154protocol: 'tcp',155workspace_id: myworkspace_id,156origin_type: :service,157private_type: :nonreplayable_hash,158service_name: '',159module_fullname: fullname,160status: Metasploit::Model::Login::Status::UNTRIED161}162end163164store_loot('juniper.junos.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper JunOS Configuration')165166# we'll take out the pretty format so its easier to regex167config = config.split("\n").join('')168169# Example:170# system {171# root-authentication {172# encrypted-password "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E."; ## SECRET-DATA173# }174# }175if /root-authentication\s+\{\s+encrypted-password "(?<root_hash>[^"]+)";/i =~ config176root_hash = root_hash.strip177jtr_format = Metasploit::Framework::Hashes.identify_hash root_hash178179print_good("root password hash: #{root_hash}")180if framework.db.active181cred = credential_data.dup182cred[:username] = 'root'183cred[:jtr_format] = jtr_format184cred[:private_data] = root_hash185create_credential_and_login(cred)186end187end188189# access privileges https://kb.juniper.net/InfoCenter/index?page=content&id=KB10902190config.scan(/user (?<user_name>[^\s]+) {(\s+ full-name (?<fullname>[^;]+);)?\s+ uid (?<user_uid>\d+);\s+ class (?<user_permission>super-user|operator|read-only|unauthorized|[^;]+);\s+ authentication {\s+encrypted-password "(?<user_hash>[^\s]+)";/i).each do |result|191user_name = result[0].strip192user_uid = result[2].strip193user_permission = result[3].strip194user_hash = result[4].strip195jtr_format = Metasploit::Framework::Hashes.identify_hash user_hash196197print_good("User #{user_uid} named #{user_name} in group #{user_permission} found with password hash #{user_hash}.")198next unless framework.db.active199200cred = credential_data.dup201cred[:username] = user_name202cred[:jtr_format] = jtr_format203cred[:private_data] = user_hash204create_credential_and_login(cred)205end206207# https://supportf5.com/csp/article/K6449 special characters allowed in snmp community strings208config.scan(%r{community "?(?<snmp_community>[\w\d\s().*/-:_?=@,&%$+!]+)"? \{(\s+view [\w\-]+;)?\s+authorization read-(?<snmp_permission>only|write)}i).each do |result|209snmp_community = result[0].strip210snmp_permissions = result[1].strip211print_good("SNMP community #{snmp_community} with permissions read-#{snmp_permissions}")212next unless framework.db.active213214cred = credential_data.dup215if snmp_permissions.downcase == 'write'216cred[:access_level] = 'RW'217else218cred[:access_level] = 'RO'219end220cred[:protocol] = 'udp'221cred[:port] = 161222cred[:private_data] = snmp_community223cred[:private_type] = :password224cred[:service_name] = 'snmp'225create_credential_and_login(cred)226end227228# radius-server229config.scan(/\s*radius-server \{([^}]+)\}/i).each do |result_block|230result_block[0].strip.scan(/(?<radius_server>[0-9.]{7,15}) secret "(?<radius_hash>[^"]+)";/i).each do |result|231radius_hash = result[1].strip232radius_server = result[0].strip233print_good("radius server #{radius_server} password hash: #{radius_hash}")234next unless framework.db.active235236cred = credential_data.dup237cred[:address] = radius_server238cred[:port] = 1812239cred[:protocol] = 'udp'240cred[:private_data] = radius_hash241cred[:service_name] = 'radius'242create_credential_and_login(cred)243end244end245246# tacplus-server247config.scan(/\s*tacplus-server \{([^}]+)\}/i).each do |result_block|248result_block[0].strip.scan(/(?<tacplus_server>[0-9.]{7,15}) secret "(?<hash>[^"]+)";/i).each do |result|249ip = result[0].strip250hash = result[1].strip251jtr_format = Metasploit::Framework::Hashes.identify_hash hash252print_good("tacplus server #{ip} with password hash #{hash}")253next unless framework.db.active254255cred = credential_data.dup256cred[:jtr_format] = jtr_format257cred[:private_data] = hash258create_credential_and_login(cred)259end260end261262config.scan(/pap {\s+local-name "(?<ppp_username>.+)";\s+local-password "(?<ppp_hash>[^"]+)";/i).each do |result|263ppp_username = result[0].strip264ppp_hash = result[1].strip265print_good("PPTP username #{ppp_username} hash #{ppp_hash} via PAP")266next unless framework.db.active267268cred = credential_data.dup269cred[:username] = ppp_username270cred[:private_data] = ppp_hash271cred[:service_name] = 'pptp'272cred[:port] = 1723273create_credential_and_login(cred)274end275end276end277end278279280