1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasploit/framework/credential_collection'
7
require 'metasploit/framework/login_scanner/mqtt'
8

9
class MetasploitModule < Msf::Auxiliary
10
  include Msf::Exploit::Remote::Tcp
11
  include Msf::Auxiliary::Scanner
12
  include Msf::Auxiliary::MQTT
13
  include Msf::Auxiliary::Report
14
  include Msf::Auxiliary::AuthBrute
15

16
  def initialize
17
    super(
18
      'Name' => 'MQTT Authentication Scanner',
19
      'Description' => %q(
20
        This module attempts to authenticate to MQTT.
21
      ),
22
      'Author' => [
23
        'Jon Hart <jon_hart[at]rapid7.com>'
24
      ],
25
      'References' => [
26
        ['URL', 'http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Table_3.1_-']
27
      ],
28
      'License' => MSF_LICENSE,
29
      'DefaultOptions' => {
30
        'BLANK_PASSWORDS' => false,
31
        'USER_AS_PASS' => true,
32
        'USER_FILE' => 'data/wordlists/unix_users.txt',
33
        'PASS_FILE' => 'data/wordlists/unix_passwords.txt'
34
      }
35
    )
36
  end
37

38
  def test_login(username, password)
39
    client_opts = {
40
      username: username,
41
      password: password,
42
      read_timeout: read_timeout,
43
      client_id: client_id
44
    }
45
    connect
46
    client = Rex::Proto::MQTT::Client.new(sock, client_opts)
47
    connect_res = client.connect
48
    client.disconnect
49
    connect_res.return_code.zero?
50
  end
51

52
  def default_login
53
    vprint_status("Testing without credentials")
54
    if test_login('', '')
55
      print_good("Does not require authentication")
56
    end
57
  end
58

59
  def run_host(_ip)
60
    unless default_login
61
      brute
62
    end
63
  end
64

65
  def brute
66
    vprint_status("Starting MQTT login sweep")
67
    cred_collection = build_credential_collection(
68
      username: datastore['USERNAME'],
69
      password: datastore['PASSWORD']
70
    )
71

72
    scanner = Metasploit::Framework::LoginScanner::MQTT.new(
73
      configure_login_scanner(
74
        host: rhost,
75
        port: rport,
76
        read_timeout: datastore['READ_TIMEOUT'],
77
        client_id: client_id,
78
        proxies: datastore['PROXIES'],
79
        cred_details: cred_collection,
80
        stop_on_success: datastore['STOP_ON_SUCCESS'],
81
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
82
        connection_timeout: datastore['ConnectTimeout'],
83
        max_send_size: datastore['TCP::max_send_size'],
84
        send_delay: datastore['TCP::send_delay'],
85
        framework: framework,
86
        framework_module: self,
87
        ssl: datastore['SSL'],
88
        ssl_version: datastore['SSLVersion'],
89
        ssl_verify_mode: datastore['SSLVerifyMode'],
90
        ssl_cipher: datastore['SSLCipher'],
91
        local_port: datastore['CPORT'],
92
        local_host: datastore['CHOST']
93
      )
94
    )
95

96
    scanner.scan! do |result|
97
      credential_data = result.to_h
98
      credential_data.merge!(
99
        module_fullname: fullname,
100
        workspace_id: myworkspace_id
101
      )
102
      password = result.credential.private
103
      username = result.credential.public
104
      if result.success?
105
        credential_core = create_credential(credential_data)
106
        credential_data[:core] = credential_core
107
        create_credential_login(credential_data)
108
        print_good("MQTT Login Successful: #{username}/#{password}")
109
      else
110
        invalidate_login(credential_data)
111
        vprint_error("MQTT LOGIN FAILED: #{username}/#{password} (#{result.proof})")
112
      end
113
    end
114
  end
115
end
116

117