Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3
module Msf
4
  ###
5
  #
6
  # This module provides methods for working with Prometheus node exporter
7
  #
8
  ###
9
  module Auxiliary::Prometheus
10
    include Msf::Auxiliary::Report
11

12
    # returns username, password
13
    def process_authorization(auth)
14
      if auth['credentials']
15
        # credential foobar
16
        return '', auth['credentials']
17
      elsif auth['credentials_file']
18
        # type: Bearer
19
        # credentials_file: /var/run/secrets/kubernetes.io/serviceaccount/token
20
        return auth['type'], auth['credentials_file']
21
      end
22
    end
23

24
    # processes a generic URI for creds
25
    def process_embedded_uri(uri, job_name, config_name)
26
      uri = URI(uri)
27
      cred = credential_data
28
      cred[:port] = uri.port
29
      cred[:address] = uri.host
30
      cred[:username] = uri.user
31
      cred[:private_data] = uri.password
32
      cred[:service_name] = uri.scheme
33
      create_credential_and_login(cred)
34
      @table_creds << [
35
        job_name,
36
        config_name,
37
        uri.host,
38
        uri.port,
39
        uri.user,
40
        uri.password,
41
        ''
42
      ]
43
    end
44

45
    def credential_data
46
      {
47
        # these 4 need to be changed every time
48
        # address: thost,
49
        # port: tport,
50
        # username: username
51
        # private_data: hash
52
        protocol: 'tcp',
53
        workspace_id: myworkspace_id,
54
        origin_type: :service,
55
        private_type: :password,
56
        service_name: '',
57
        module_fullname: fullname,
58
        status: Metasploit::Model::Login::Status::UNTRIED
59
      }
60
    end
61

62
    def process_dns_sd_configs(job_name, dns_sd_configs)
63
      dns_sd_configs['names']&.each do |name|
64
        username = dns_sd_configs.dig('basic_auth', 'username')
65
        password = dns_sd_configs.dig('basic_auth', 'password')
66
        password = dns_sd_configs.dig('basic_auth', 'password_file') if dns_sd_configs.dig('basic_auth', 'password_file')
67
        uri = URI("#{dns_sd_configs['scheme']}://#{name}")
68
        cred = credential_data
69
        cred[:port] = uri.port
70
        cred[:address] = uri.host
71
        cred[:username] = dns_sd_configs.dig('basic_auth', 'username')
72
        cred[:private_data] = password
73
        cred[:service_name] = dns_sd_configs['scheme']
74
        create_credential_and_login(cred)
75
        @table_creds << [
76
          job_name,
77
          'dns_sd_configs',
78
          uri.host,
79
          uri.port,
80
          username,
81
          password,
82
          ''
83
        ]
84
      end
85
    end
86

87
    def process_consul_sd_configs(job_name, consul_sd_configs)
88
      uri = URI("#{consul_sd_configs['scheme']}://#{consul_sd_configs['server']}")
89
      cred = credential_data
90
      cred[:port] = uri.port
91
      cred[:address] = uri.host
92
      cred[:username] = ''
93
      cred[:private_data] = consul_sd_configs['token']
94
      cred[:service_name] = consul_sd_configs['scheme']
95
      create_credential_and_login(cred)
96
      @table_creds << [
97
        job_name,
98
        'consul_sd_configs',
99
        uri.host,
100
        uri.port,
101
        '',
102
        consul_sd_configs['token'],
103
        "Path Prefix: #{consul_sd_configs['path_prefix']}"
104
      ]
105
    end
106

107
    def process_kubernetes_sd_configs(job_name, kubernetes_sd_configs)
108
      username = kubernetes_sd_configs.dig('basic_auth', 'username')
109
      password = kubernetes_sd_configs.dig('basic_auth', 'password')
110
      password = kubernetes_sd_configs.dig('basic_auth', 'password_file') if kubernetes_sd_configs.dig('basic_auth', 'password_file')
111

112
      uri = URI(kubernetes_sd_configs['api_server'])
113
      cred = credential_data
114
      cred[:port] = uri.port
115
      cred[:address] = uri.host
116
      cred[:username] = username
117
      cred[:private_data] = password
118
      cred[:service_name] = uri.scheme
119
      create_credential_and_login(cred)
120
      @table_creds << [
121
        job_name,
122
        'kubernetes_sd_configs',
123
        uri.host,
124
        uri.port,
125
        username,
126
        password,
127
        "Role: #{kubernetes_sd_configs['role']}"
128
      ]
129
    end
130

131
    def process_kuma_sd_configs(job_name, targets)
132
      return if targets['server'].nil?
133
      return unless targets['server'].include? '@'
134

135
      process_embedded_uri(targets['server'], job_name, 'kuma_sd_configs')
136
    end
137

138
    def process_marathon_sd_configs(job_name, marathon_sd_configs)
139
      marathon_sd_configs['servers']&.each do |servers|
140
        uri = URI(servers)
141
        cred = credential_data
142
        cred[:port] = uri.port
143
        cred[:address] = uri.host
144
        cred[:username] = ''
145
        cred[:private_data] = marathon_sd_configs['auth_token']
146
        cred[:service_name] = uri.scheme
147
        create_credential_and_login(cred)
148
        @table_creds << [
149
          job_name,
150
          'marathon_sd_configs',
151
          uri.host,
152
          uri.port,
153
          '',
154
          marathon_sd_configs['auth_token'],
155
          ''
156
        ]
157
      end
158
    end
159

160
    def process_nomad_sd_configs(job_name, targets)
161
      return if targets['server'].nil?
162
      return unless targets['server'].include? '@'
163

164
      process_embedded_uri(targets['server'], job_name, 'nomad_sd_configs')
165
    end
166

167
    def process_ec2_sd_configs(job_name, ec2_sd_configs)
168
      cred = credential_data
169
      cred[:port] = ''
170
      cred[:address] = ''
171
      cred[:username] = ec2_sd_configs['access_key']
172
      cred[:private_data] = ec2_sd_configs['secret_key']
173
      cred[:service_name] = ''
174
      create_credential_and_login(cred)
175
      @table_creds << [
176
        job_name,
177
        'ec2_sd_configs',
178
        '',
179
        '',
180
        ec2_sd_configs['access_key'],
181
        ec2_sd_configs['secret_key'],
182
        "Region: #{ec2_sd_configs['region']}, Profile: #{ec2_sd_configs['profile']}"
183
      ]
184
    end
185

186
    def process_lightsail_sd_configs(job_name, lightsail_sd_configs)
187
      cred = credential_data
188
      cred[:port] = ''
189
      cred[:address] = ''
190
      cred[:username] = lightsail_sd_configs['access_key']
191
      cred[:private_data] = lightsail_sd_configs['secret_key']
192
      cred[:service_name] = ''
193
      create_credential_and_login(cred)
194
      @table_creds << [
195
        job_name,
196
        'lightsail_sd_configs',
197
        '',
198
        '',
199
        lightsail_sd_configs['access_key'],
200
        lightsail_sd_configs['secret_key'],
201
        "Region: #{lightsail_sd_configs['region']}, Profile: #{lightsail_sd_configs['profile']}"
202
      ]
203
    end
204

205
    def process_azure_sd_configs(job_name, azure_sd_configs)
206
      cred = credential_data
207
      cred[:port] = azure_sd_configs['port']
208
      cred[:address] = ''
209
      cred[:username] = azure_sd_configs['client_id']
210
      cred[:private_data] = azure_sd_configs['client_secret']
211
      cred[:service_name] = azure_sd_configs['authentication_method']
212
      create_credential_and_login(cred)
213
      @table_creds << [
214
        job_name,
215
        'azure_sd_configs',
216
        '',
217
        azure_sd_configs['port'],
218
        azure_sd_configs['client_id'],
219
        azure_sd_configs['client_secret'],
220
        "Environment: #{azure_sd_configs['environment']}, Subscription ID: #{azure_sd_configs['subscription_id']}, Resource Group: #{azure_sd_configs['resource_group']}, Tenant ID: #{azure_sd_configs['tenant_id']}"
221
      ]
222
    end
223

224
    def process_http_sd_configs(job_name, http_sd_configs)
225
      return if http_sd_configs['url'].nil?
226
      return unless http_sd_configs['url'].include? '@'
227

228
      process_embedded_uri(http_sd_configs['url'], job_name, 'http_sd_configs')
229
    end
230

231
    def process_digitalocean_sd_configs(job_name, digitalocean_sd_configs)
232
      username, password = process_authorization(digitalocean_sd_configs['authorization'])
233
      cred = credential_data
234
      cred[:port] = ''
235
      cred[:address] = ''
236
      cred[:username] = username
237
      cred[:private_data] = password
238
      create_credential_and_login(cred)
239
      @table_creds << [
240
        job_name,
241
        'digitalocean_sd_configs',
242
        '',
243
        '',
244
        username,
245
        password,
246
        ''
247
      ]
248
    end
249

250
    def process_hetzner_sd_configs(job_name, hetzner_sd_configs)
251
      username = hetzner_sd_configs.dig('basic_auth', 'username')
252
      password = hetzner_sd_configs.dig('basic_auth', 'password')
253

254
      username, password = process_authorization(hetzner_sd_configs['authorization']) if hetzner_sd_configs.dig('authorization', 'credentials')
255

256
      cred = credential_data
257
      cred[:port] = ''
258
      cred[:address] = ''
259
      cred[:username] = username
260
      cred[:private_data] = password
261
      create_credential_and_login(cred)
262
      @table_creds << [
263
        job_name,
264
        'hetzner_sd_configs',
265
        '',
266
        '',
267
        username,
268
        password,
269
        hetzner_sd_configs['role']
270
      ]
271
    end
272

273
    def process_eureka_sd_configs(job_name, eureka_sd_configs)
274
      return if eureka_sd_configs['server'].nil?
275
      return unless eureka_sd_configs['server'].include? '@'
276

277
      process_embedded_uri(eureka_sd_configs['server'], job_name, 'eureka_sd_configs')
278
    end
279

280
    def process_ovhcloud_sd_configs(job_name, ovhcloud_sd_configs)
281
      cred = credential_data
282
      cred[:port] = ''
283
      cred[:address] = ovhcloud_sd_configs['endpoint']
284
      cred[:username] = ovhcloud_sd_configs['application_key']
285
      cred[:private_data] = ovhcloud_sd_configs['application_secret']
286
      cred[:service_name] = ovhcloud_sd_configs['service']
287
      create_credential_and_login(cred)
288
      @table_creds << [
289
        job_name,
290
        'ovhcloud_sd_configs',
291
        ovhcloud_sd_configs['endpoint'],
292
        '',
293
        ovhcloud_sd_configs['application_key'],
294
        ovhcloud_sd_configs['application_secret'],
295
        "Consumer Key: #{ovhcloud_sd_configs['consumer_key']}, Service: #{ovhcloud_sd_configs['service']}"
296
      ]
297
    end
298

299
    def process_scaleway_sd_configs(job_name, scaleway_sd_configs)
300
      cred = credential_data
301
      cred[:port] = ''
302
      cred[:address] = ''
303
      cred[:username] = scaleway_sd_configs['access_key']
304
      cred[:private_data] = scaleway_sd_configs['secret_key']
305
      cred[:service_name] = scaleway_sd_configs['role']
306
      create_credential_and_login(cred)
307
      @table_creds << [
308
        job_name,
309
        'scaleway_sd_configs',
310
        '',
311
        '',
312
        scaleway_sd_configs['access_key'],
313
        scaleway_sd_configs['secret_key'],
314
        "Project ID: #{scaleway_sd_configs['project_id']}, Role: #{scaleway_sd_configs['role']}"
315
      ]
316
    end
317

318
    def process_linode_sd_configs(job_name, linode_sd_configs)
319
      username, password = process_authorization(linode_sd_configs['authorization'])
320
      cred = credential_data
321
      cred[:port] = ''
322
      cred[:address] = ''
323
      cred[:username] = username
324
      cred[:private_data] = password
325
      create_credential_and_login(cred)
326
      @table_creds << [
327
        job_name,
328
        'linode_sd_configs',
329
        '',
330
        '',
331
        username,
332
        password,
333
        ''
334
      ]
335
    end
336

337
    def process_uyuni_sd_configs(job_name, uyuni_sd_configs)
338
      uri = URI(uyuni_sd_configs['server'])
339
      cred = credential_data
340
      cred[:port] = uri.port
341
      cred[:address] = uri.host
342
      cred[:username] = uyuni_sd_configs['username']
343
      cred[:private_data] = uyuni_sd_configs['password']
344
      cred[:service_name] = uri.scheme
345
      create_credential_and_login(cred)
346
      @table_creds << [
347
        job_name,
348
        'uyuni_sd_configs',
349
        uri.host,
350
        uri.port,
351
        uyuni_sd_configs['username'],
352
        uyuni_sd_configs['password'],
353
        ''
354
      ]
355
    end
356

357
    def process_ionos_sd_configs(job_name, ionos_sd_configs)
358
      _username, password = process_authorization(ionos_sd_configs['authorization'])
359
      # we may hit an issue here where we have a type stored in username, but use datacenter_id
360
      # as the username
361
      cred = credential_data
362
      cred[:port] = ''
363
      cred[:address] = ''
364
      cred[:username] = ionos_sd_configs['datacenter_id']
365
      cred[:private_data] = password
366
      create_credential_and_login(cred)
367
      @table_creds << [
368
        job_name,
369
        'ionos_sd_configs',
370
        '',
371
        '',
372
        ionos_sd_configs['datacenter_id'],
373
        password,
374
        ''
375
      ]
376
    end
377

378
    def process_vultr_sd_configs(job_name, vultr_sd_configs)
379
      username, password = process_authorization(vultr_sd_configs['authorization'])
380
      cred = credential_data
381
      cred[:port] = ''
382
      cred[:address] = ''
383
      cred[:username] = username
384
      cred[:private_data] = password
385
      create_credential_and_login(cred)
386
      @table_creds << [
387
        job_name,
388
        'vultr_sd_configs',
389
        '',
390
        '',
391
        username,
392
        password,
393
        ''
394
      ]
395
    end
396

397
    def prometheus_config_eater(yamlconf)
398
      @table_creds = Rex::Text::Table.new(
399
        'Header' => 'Credentials',
400
        'Indent' => 2,
401
        'Columns' =>
402
        [
403
          'Name',
404
          'Config',
405
          'Host',
406
          'Port',
407
          'Public/Username',
408
          'Private/Password/Token',
409
          'Notes'
410
        ]
411
      )
412

413
      yamlconf['scrape_configs']&.each do |scrape|
414
        # check for targets which have creds built in to the URL
415
        if scrape['static_configs']
416
          scrape['static_configs']&.each do |static|
417
            static['targets']&.each do |target|
418
              if target.include? '@'
419
                uri = URI(target)
420
                cred = credential_data
421
                cred[:port] = uri.port
422
                cred[:address] = uri.host
423
                cred[:username] = uri.user
424
                cred[:private_data] = uri.password
425
                cred[:service_name] = uri.scheme
426
                create_credential_and_login(cred)
427
                @table_creds << [
428
                  scrape['job_name'],
429
                  'static_configs Target',
430
                  uri.host,
431
                  uri.port,
432
                  uri.user,
433
                  uri.password,
434
                  ''
435
                ]
436
              end
437
            end
438
          end
439
        elsif scrape['dns_sd_configs']
440
          scrape['dns_sd_configs']&.each do |dns_sd_configs|
441
            # pass in basic_auth from the level above
442
            if dns_sd_configs['basic_auth'].nil? && scrape['basic_auth']
443
              dns_sd_configs['basic_auth'] = {}
444
              dns_sd_configs['basic_auth']['username'] = scrape.dig('basic_auth', 'username') if scrape.dig('basic_auth', 'username')
445
              dns_sd_configs['basic_auth']['password'] = scrape.dig('basic_auth', 'password') if scrape.dig('basic_auth', 'password')
446
              dns_sd_configs['basic_auth']['password_file'] = scrape.dig('basic_auth', 'password_file') if scrape.dig('basic_auth', 'password_file')
447
            end
448

449
            # pass in the 'scheme' from a level above to properly build the URI
450
            if dns_sd_configs['scheme'].nil? && scrape['scheme']
451
              dns_sd_configs['scheme'] = scrape['scheme']
452
            end
453

454
            process_dns_sd_configs(scrape['job_name'], dns_sd_configs)
455
          end
456
        elsif scrape['consul_sd_configs']
457
          scrape['consul_sd_configs']&.each do |consul_sd_configs|
458
            process_consul_sd_configs(scrape['job_name'], consul_sd_configs)
459
          end
460
        elsif scrape['authorization']
461
          username, password = process_authorization(scrape['authorization'])
462
          cred = credential_data
463
          cred[:port] = ''
464
          cred[:address] = ''
465
          cred[:username] = username
466
          cred[:private_data] = password
467
          create_credential_and_login(cred)
468
          @table_creds << [
469
            scrape['job_name'],
470
            'authorization',
471
            '',
472
            '',
473
            username,
474
            password,
475
            ''
476
          ]
477
        elsif scrape['kubernetes_sd_configs']
478
          scrape['kubernetes_sd_configs']&.each do |kubernetes_sd_configs|
479
            next unless kubernetes_sd_configs['api_server']
480

481
            # if scrape has basic auth, but the individual config doesn't
482
            # add it to the individual config
483
            if kubernetes_sd_configs['basic_auth'].nil? && scrape['basic_auth']
484
              kubernetes_sd_configs['basic_auth'] = {}
485
              kubernetes_sd_configs['basic_auth']['username'] = scrape.dig('basic_auth', 'username') if scrape.dig('basic_auth', 'username')
486
              kubernetes_sd_configs['basic_auth']['password'] = scrape.dig('basic_auth', 'password') if scrape.dig('basic_auth', 'password')
487
              kubernetes_sd_configs['basic_auth']['password'] = scrape.dig('basic_auth', 'password_file') if scrape.dig('basic_auth', 'password_file')
488
            end
489

490
            process_kubernetes_sd_configs(scrape['job_name'], kubernetes_sd_configs)
491
          end
492
        elsif scrape['kuma_sd_configs']
493
          scrape['kuma_sd_configs']&.each do |targets|
494
            process_kuma_sd_configs(scrape['job_name'], targets)
495
          end
496
        elsif scrape['marathon_sd_configs']
497
          scrape['marathon_sd_configs']&.each do |marathon_sd_configs|
498
            process_marathon_sd_configs(scrape['job_name'], marathon_sd_configs)
499
          end
500
        elsif scrape['nomad_sd_configs']
501
          scrape['nomad_sd_configs']&.each do |targets|
502
            process_nomad_sd_configs(scrape['job_name'], targets)
503
          end
504
        elsif scrape['ec2_sd_configs']
505
          scrape['ec2_sd_configs']&.each do |ec2_sd_configs|
506
            process_ec2_sd_configs(scrape['job_name'], ec2_sd_configs)
507
          end
508
        elsif scrape['lightsail_sd_configs']
509
          scrape['lightsail_sd_configs']&.each do |lightsail_sd_configs|
510
            process_lightsail_sd_configs(scrape['job_name'], lightsail_sd_configs)
511
          end
512
        elsif scrape['azure_sd_configs']
513
          scrape['azure_sd_configs']&.each do |azure_sd_configs|
514
            process_azure_sd_configs(scrape['job_name'], azure_sd_configs)
515
          end
516
        elsif scrape['http_sd_configs']
517
          scrape['http_sd_configs']&.each do |http_sd_configs|
518
            process_http_sd_configs(scrape['job_name'], http_sd_configs)
519
          end
520
        elsif scrape['digitalocean_sd_configs']
521
          scrape['digitalocean_sd_configs']&.each do |digitalocean_sd_configs|
522
            process_digitalocean_sd_configs(scrape['job_name'], digitalocean_sd_configs)
523
          end
524
        elsif scrape['hetzner_sd_configs']
525
          scrape['hetzner_sd_configs']&.each do |hetzner_sd_configs|
526
            process_hetzner_sd_configs(scrape['job_name'], hetzner_sd_configs)
527
          end
528
        elsif scrape['eureka_sd_configs']
529
          scrape['eureka_sd_configs']&.each do |eureka_sd_configs|
530
            process_eureka_sd_configs(scrape['job_name'], eureka_sd_configs)
531
          end
532
        elsif scrape['ovhcloud_sd_configs']
533
          scrape['ovhcloud_sd_configs']&.each do |ovhcloud_sd_configs|
534
            process_ovhcloud_sd_configs(scrape['job_name'], ovhcloud_sd_configs)
535
          end
536
        elsif scrape['scaleway_sd_configs']
537
          scrape['scaleway_sd_configs']&.each do |scaleway_sd_configs|
538
            process_scaleway_sd_configs(scrape['job_name'], scaleway_sd_configs)
539
          end
540
        elsif scrape['linode_sd_configs']
541
          scrape['linode_sd_configs']&.each do |linode_sd_configs|
542
            process_linode_sd_configs(scrape['job_name'], linode_sd_configs)
543
          end
544
        elsif scrape['uyuni_sd_configs']
545
          scrape['uyuni_sd_configs']&.each do |uyuni_sd_configs|
546
            process_uyuni_sd_configs(scrape['job_name'], uyuni_sd_configs)
547
          end
548
        elsif scrape['ionos_sd_configs']
549
          scrape['ionos_sd_configs']&.each do |ionos_sd_configs|
550
            process_ionos_sd_configs(scrape['job_name'], ionos_sd_configs)
551
          end
552
        elsif scrape['vultr_sd_configs']
553
          scrape['vultr_sd_configs']&.each do |vultr_sd_configs|
554
            process_vultr_sd_configs(scrape['job_name'], vultr_sd_configs)
555
          end
556
        end
557
      end
558
      print_good(@table_creds.to_s) if !@table_creds.rows.empty?
559
    end
560

561
    def process_results_page(page)
562
      # data is in a strange 'label{optional_kv_hash-ish} value' format.
563
      return nil if page.nil?
564

565
      results = []
566
      page.scan(/^(?<name>\w+)(?:{(?<labels>[^}]+)})? (?<value>[\w.+-]+)/).each do |hit|
567
        result = {}
568
        value = { 'value' => hit[2], 'labels' => {} }
569
        if hit[1]
570
          hit[1].scan(/(?<key>[^=]+?)="(?<value>[^"]*)",?/).each do |label|
571
            value['labels'][label[0]] = label[1]
572
          end
573
        end
574
        result[hit[0]] = value
575
        results.append(result)
576
      end
577
      return results
578
    end
579
  end
580
end
581

582