CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report8include Msf::Auxiliary::AuthBrute9include Msf::Auxiliary::Scanner1011def initialize12super(13'Name' => 'NeXpose API Interface Login Utility',14'Description' => %q{15This module simply attempts to login to a NeXpose API interface using a16specific user/pass.17},18'Author' => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],19'License' => MSF_LICENSE,20'DefaultOptions' => { 'SSL' => true }21)2223register_options(24[25Opt::RPORT(3780),26OptString.new('URI', [true, "URI for NeXpose API. Default is /api/1.1/xml", "/api/1.1/xml"]),27OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])28])29end3031def run_host(ip)32begin33res = send_request_cgi({34'uri' => datastore['URI'],35'method' => 'GET'36}, 25)37http_fingerprint({ :response => res })38rescue ::Rex::ConnectionError => e39vprint_error("#{datastore['URI']} - #{e.to_s}")40return41end4243if not res44vprint_error("#{datastore['URI']} - No response")45return46end47if res.code != 20048vprint_error("Did not get 200 for API XML interface")49return50end5152each_user_pass do |user, pass|53do_login(user, pass)54end55end5657def report_cred(opts)58service_data = {59address: opts[:ip],60port: opts[:port],61service_name: opts[:service_name],62protocol: 'tcp',63workspace_id: myworkspace_id64}6566credential_data = {67origin_type: :service,68module_fullname: fullname,69username: opts[:user],70private_data: opts[:password],71private_type: :password72}.merge(service_data)7374login_data = {75last_attempted_at: Time.now,76core: create_credential(credential_data),77status: Metasploit::Model::Login::Status::SUCCESSFUL,78proof: opts[:proof]79}.merge(service_data)8081create_credential_login(login_data)82end8384def do_login(user='nxadmin', pass='nxadmin')85vprint_status("Trying username:'#{user}' with password:'#{pass}'")86headers = {87'Content-Type' => 'text/xml'88}89data = '<?xml version="1.0" encoding="UTF-8"?><LoginRequest sync-id="1" user-id="' << user << '" password="' << pass << '"></LoginRequest>'90begin91res = send_request_cgi({92'encode' => true,93'uri' => datastore['URI'],94'method' => 'POST',95'headers' => headers,96'data' => data97}, 25)9899rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT100print_error("HTTP Connection Failed, Aborting")101return :abort102end103104if not res105print_error("HTTP Connection Error - res, Aborting")106return :abort107end108109if res.code != 200110vprint_error("FAILED LOGIN. '#{user}' : '#{pass}'")111return :skip_pass112end113114if res.code == 200115if res.body =~ /LoginResponse.*success="1"/116print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")117118report_cred(119ip: datastore['RHOST'],120port: datastore['RPORT'],121service_name: 'nexpose',122user: user,123password: pass,124proof: res.code.to_s125)126return :next_user127end128end129vprint_error("FAILED LOGIN. '#{user}' : '#{pass}'")130return :skip_pass131end132end133134135