CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/openvas/openvas_otp_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Scanner8include Msf::Auxiliary::Report9include Msf::Auxiliary::AuthBrute1011def initialize12super(13'Name' => 'OpenVAS OTP Login Utility',14'Description' => 'This module attempts to authenticate to an OpenVAS OTP service.',15'Author' => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],16'License' => MSF_LICENSE17)18register_options(19[20Opt::RPORT(9391),21OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])22]23)24end2526def run_host(ip)27begin28print_status("#{msg} Connecting and checking username and passwords")29each_user_pass do |user, pass|30do_login(user, pass)31end32rescue ::Rex::ConnectionError33rescue ::Exception => e34vprint_error("#{msg} #{e.to_s} #{e.backtrace}")35end36end3738def otp_send(data=nil, con=true)39begin40@result=''41@coderesult=''42if (con)43@connected=false44connect45select(nil,nil,nil,0.4)46end47@connected=true48sock.put(data)49@result=sock.get_once50rescue ::Exception => err51print_error("#{msg} Error: #{err.to_s}")52end53end5455def report_cred(opts)56service_data = {57address: opts[:ip],58port: opts[:port],59service_name: opts[:service_name],60protocol: 'tcp',61workspace_id: myworkspace_id62}6364credential_data = {65origin_type: :service,66module_fullname: fullname,67username: opts[:user],68private_data: opts[:password],69private_type: :password70}.merge(service_data)7172login_data = {73last_attempted_at: Time.now,74core: create_credential(credential_data),75status: Metasploit::Model::Login::Status::SUCCESSFUL,76proof: opts[:proof]77}.merge(service_data)7879create_credential_login(login_data)80end8182def do_login(user=nil,pass=nil)83begin84otp_send("< OTP/1.0 >\n",true) # send hello85if @result !~ /\<\ OTP\/1\.0 \>/86print_error("#{msg} OpenVAS OTP does not appear to be running: did not get response to OTP hello: #{@result}")87return :abort88end8990vprint_status("#{msg} Trying user:'#{user}' with password:'#{pass}'")91otp_send(nil,!@connected)92if @result !~ /User\ \:/93print_error("#{msg} OpenVAS OTP did not send User request: #{@result}")94end95otp_send("#{user}\n",!@connected)96if @result !~ /Password\ \:/97print_error("#{msg} OpenVAS OTP did not send Password request: #{@result}")98end99otp_send("#{pass}\n",!@connected)100if @result =~ /SERVER <|>.*<|> SERVER/is101print_good("#{msg} SUCCESSFUL login for '#{user}' : '#{pass}'")102report_cred(103ip: rhost,104port: rport,105service_name: 'openvas-otp',106user: user,107password: pass,108proof: @result109)110disconnect111@connected = false112return :next_user113else114if (@connected)115disconnect # Sometime openvas disconnect the client after wrongs attempts116@connected = false117end118vprint_error("#{msg} Rejected user: '#{user}' with password: '#{pass}': #{@result}")119return :fail120end121rescue ::Rex::ConnectionError122rescue ::Timeout::Error, ::Errno::EPIPE123end124end125126def msg127"#{rhost}:#{rport} OpenVAS OTP -"128end129end130131132