CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/msf/core/auxiliary/vyos.rb
Views: 1904
# -*- coding: binary -*-12module Msf3###4#5# This module provides methods for working with VyOS equipment6#7###8module Auxiliary::VYOS9include Msf::Auxiliary::Report1011def vyos_config_eater(thost, tport, config, store = true)1213credential_data = {14address: thost,15port: tport,16protocol: 'tcp',17workspace_id: myworkspace_id,18origin_type: :service,19private_type: :nonreplayable_hash,20# jtr_format: 'sha512,crypt', # default on the devices 11.4.0+21service_name: '',22module_fullname: fullname,23status: Metasploit::Model::Login::Status::UNTRIED24}2526# Default SNMP to UDP27if tport == 16128credential_data[:protocol] = 'udp'29end3031if store && !config.include?('such file or directory') && !config.include?('ermission denied')32l = store_loot('vyos.config', 'text/plain', thost, config.strip, 'config.txt', 'VyOS Configuration')33vprint_good("#{thost}:#{tport} Config saved to: #{l}")34end3536host_info = {37host: thost,38os_name: 'VyOS'39}40report_host(host_info)4142# generated by: cat /config/config.boot43# https://github.com/rapid7/metasploit-framework/issues/141244445# login {46# user jsmith {47# authentication {48# encrypted-password $6$ELBrDuW7c/8$nN7MwUST8s8O0R6HMNu/iPoTQ1s..y8HTnXraJ7Hh4bHefRmjt/2U08ZckEw4FU034wbWaeCaB5hq7mC6fNXl/49# plaintext-password ""50# }51# full-name "John Smith"52# level operator53# }54# user vyos {55# authentication {56# encrypted-password $1$5HsQse2v$VQLh5eeEp4ZzGmCG/PRBA157# plaintext-password ""58# }59# level admin60# }61# }6263# sometimes the hash is masked6465# login {66# user vyos {67# authentication {68# encrypted-password ****************69# plaintext-password ""70# }71# level admin72# }73# }7475# plaintext-password can also be missing: https://github.com/rapid7/metasploit-framework/pull/14161#discussion_r4928840397677# in >= 1.3 'level' is no longer included and defaults to admin.7879r = 'user ([^ ]+) {\s*authentication {\s*'80r << 'encrypted-password (\$?[\w$\./\*]*)\s*' # leading $ is optional in case the password is all stars81r << '(?:plaintext-password "([^"]*)")?\s*' # optional82r << '}'83r << '(?:\s*full-name "([^"]*)")?\s*' # optional84r << '(?:level (operator|admin))?' # 1.3+ seems to have removed operator85config.scan(/#{Regexp.new(r)}/mi).each do |result|86username = result[0].strip87hash = result[1].strip88# full-name is an optional field89# we label it, but dont actually use it. Maybe future expansion?90unless result[3].nil?91name = result[3].strip92end93if result[4].nil?94level = 'admin'95else96level = result[4].strip97end98cred = credential_data.dup99cred[:username] = username100unless hash.start_with?('********') # if not in config mode these are masked101cred[:jtr_format] = Metasploit::Framework::Hashes.identify_hash(hash)102cred[:private_data] = hash103print_hash = " with hash #{hash}"104end105cred[:access_level] = level106create_credential_and_login(cred) if framework.db.active107unless result[2].to_s.strip.empty?108plaintext = result[2].strip109cred[:jtr_format] = ''110cred[:private_type] = :password111cred[:private_data] = plaintext112create_credential_and_login(cred) if framework.db.active113print_hash = "with password #{plaintext}"114end115print_good("#{thost}:#{tport} Username '#{username}' with level '#{level}'#{print_hash}")116end117118# generated by: cat /config/config.boot119120# service {121# snmp {122# community ro {123# authorization ro124# }125# community write {126# authorization rw127# }128# }129# }130131config.scan(/community (\w+) {\n\s+authorization (ro|rw)/).each do |result|132cred = credential_data.dup133cred[:port] = 161134cred[:protocol] = 'udp'135cred[:service_name] = 'snmp'136cred[:jtr_format] = ''137cred[:private_data] = result[0].strip138cred[:private_type] = :password139cred[:access_level] = result[1].strip140create_credential_and_login(cred) if framework.db.active141print_good("#{thost}:#{tport} SNMP Community '#{result[0].strip}' with #{result[1].strip} access")142end143144# generated by: cat /config/config145146# host-name vyos147148# interfaces {149# ethernet eth0 {150# duplex auto151# hw-id 00:0c:29:c7:af:bc152# smp_affinity auto153# speed auto154# }155# ethernet eth0 {156# address 1.1.1.1/8157# hw-id 00:0c:29:c7:af:cc158# }159# loopback lo {160# }161# }162163# /* Release version: VyOS 1.1.8 */164# // Release version: VyOS 1.3-rolling-202008270118165166if /host-name (.+)\n/ =~ config167print_good("#{thost}:#{tport} Hostname: #{$1.strip}")168host_info[:name] = $1.strip169report_host(host_info) if framework.db.active170end171172if %r{^/[/\*]\s?Release version: ([\w \.-]+)} =~ config173print_good("#{thost}:#{tport} OS Version: #{$1.strip}")174host_info[:os_flavor] = $1.strip175report_host(host_info) if framework.db.active176end177178#config.scan(%r{ethernet (eth\d{1,3}) {[\w\s":-]+(?:address ([\d\.]{6,16}/\d{1,2})[\w\s:-]+)?(?:description "?([\w\.\_\s]+)"?[\w\s:-]+)?hw-id (\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2})[\w\s:-]+}}).each do |result|179r = 'ethernet (eth\d{1,3}) {[\w\s":-]+'180r << '(?:address ([\d\.]{6,16}/\d{1,2})[\w\s:-]+)?'181r << '(?:description ["\']?([\w\.\_\s]+)["\']?[\w\s:-]+)?'182r << 'hw-id (\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2})[\w\s:-]+'183r << '}'184config.scan(/#{Regexp.new(r)}/i).each do |result|185name = result[0].strip186mac = result[3].strip187host_info[:mac] = mac188output = "#{thost}:#{tport} Interface #{name} (#{mac})"189190# static IP address191unless result[1].nil?192ip = result[1].split('/')[0].strip193host_info[:host] = ip194output << " - #{ip}"195end196197# description198unless result[2].nil?199output << " with description: #{result[2].strip}"200end201report_host(host_info) if framework.db.active202print_good(output)203end204205# https://docs.vyos.io/en/crux/interfaces/wireless.html206207# server has type 'access-point', client is 'station'208209# interfaces {210# wireless wlan0 {211# address 192.168.2.1/24212# channel 1213# mode n214# security {215# wpa {216# cipher CCMP217# mode wpa2218# passphrase "12345678"219# }220# }221# ssid "TEST"222# type access-point223# }224#}225226config.scan(/wireless (wlan\d{1,3}) {\s+.+passphrase "([^\n"]+)"\s+.+ssid ["']?([^\n"]+)["']?\s+type (access-point|station)/mi).each do |result|227device = result[0].strip228password = result[1].strip229ssid = result[2].strip230type = result[3].strip231cred = credential_data.dup232cred[:port] = 1233cred[:protocol] = 'tcp'234type == 'access-point' ? cred[:service_name] ='wireless AP' : cred[:service_name] ='wireless'235cred[:jtr_format] = ''236cred[:private_data] = password237cred[:username] = ssid238cred[:private_type] = :password239create_credential_and_login(cred) if framework.db.active240print_good("#{thost}:#{tport} Wireless #{type} '#{ssid}' with password: #{password}")241end242243# wireless (server) with radius244245# interfaces {246# wireless wlan0 {247# address 192.168.2.1/24248# channel 1249# mode n250# security {251# wpa {252# cipher CCMP253# mode wpa2254# radius {255# server 192.168.3.10 {256# key 'VyOSPassword'257# port 1812258# }259# }260# }261# }262# ssid "Enterprise-TEST"263# type access-point264# }265# }266267r = 'wireless (wlan\d{1,3}) {\s*'268r << '.+radius {\s+'269r << 'server ([^\s]+) {\s*'270r << 'key [\'"]?([^\n"]+)[\'"]?\s*'271r << 'port (\d{1,5})\s*'272r << '.+ssid [\'"]?([^\n"\']+)[\'"]?\s*'273r << 'type (access-point|station)'274275#config.scan(/#{Regexp.new(r)}/mi).each do |result|276config.scan(/wireless (wlan\d{1,3}) {\s*.+radius {\s+server ([^\s]+) {\s*key ['"]?([^\n"']+)['"]?\s*port (\d{1,5})\s*.+ssid ['"]?([^\n"']+)['"]?\s*type (access-point|station)/mi).each do |result|277device = result[0].strip278server = result[1].strip279password = result[2].strip280server_port = result[3].strip281ssid = result[4].strip282type = result[5].strip283cred = credential_data.dup284cred[:port] = 1285cred[:protocol] = 'tcp'286type == 'access-point' ? cred[:service_name] ='wireless AP' : cred[:service_name] ='wireless'287cred[:jtr_format] = ''288cred[:private_data] = password289cred[:username] = ssid290cred[:private_type] = :password291create_credential_and_login(cred) if framework.db.active292print_good("#{thost}:#{tport} Wireless #{type} '#{ssid}' with radius password: #{password} to #{server}#{server_port}")293end294295# https://docs.vyos.io/en/crux/services/ipoe-server.html#radius-setup296297# https://docs.vyos.io/en/crux/services/webproxy.html#authentication298299# https://docs.vyos.io/en/crux/vpn/pptp.html#server-example300301# https://docs.vyos.io/en/crux/interfaces/l2tpv3.html#l2tpv3-over-ipsec-l2-vpn-bridge302303# https://docs.vyos.io/en/crux/interfaces/pppoe.html#pppoe304305# /config/auth/ldap-auth.config306307end308end309end310311312