Land #19158, reimplement password_spray into login modules

lib/msf/core/auxiliary/auth_brute.rb

@@ -9,6 +9,8 @@ module Msf
 
 module Auxiliary::AuthBrute
 
+  include Msf::Auxiliary::LoginScanner
+
   def initialize(info = {})
     super
 

lib/msf/core/auxiliary/login_scanner.rb

@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+
+module Msf
+  class Auxiliary
+    ###
+    #
+    # This module provides a base configure scanner method for binding common datastore options to the login scanners
+    #
+    ###
+    module LoginScanner
+      #
+      # Converts datastore options into configuration parameters for the
+      # Msf::Auxiliary::LoginScanner. Any parameters passed into
+      # this method will override the defaults.
+      #
+      def configure_login_scanner(conf)
+        {
+          host: datastore['RHOST'],
+          port: datastore['RPORT'],
+          proxies: datastore['Proxies'],
+          stop_on_success: datastore['STOP_ON_SUCCESS'],
+          bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
+          framework: framework,
+          framework_module: self,
+          local_port: datastore['CPORT'],
+          local_host: datastore['CHOST'],
+        }.merge(conf)
+      end
+    end
+  end
+end

lib/msf/core/exploit/remote/http_client.rb

@@ -14,6 +14,7 @@ module Msf
 module Exploit::Remote::HttpClient
 
   include Msf::Auxiliary::Report
+  include Msf::Auxiliary::LoginScanner
 
   #
   # Initializes an exploit module that exploits a vulnerability in an HTTP
@@ -152,7 +153,7 @@ def connect(opts={})
     client_password = opts['password'] || datastore['HttpPassword'] || ''
 
     http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: self)
-    
+
     nclient = Rex::Proto::Http::Client.new(
       opts['rhost'] || rhost,
       (opts['rport'] || rport).to_i,
@@ -270,44 +271,39 @@ def connect_ws(opts={}, timeout = 20)
   # this method will override the defaults.
   #
   def configure_http_login_scanner(conf)
-    {
-      host:                          rhost,
-      port:                          rport,
-      ssl:                           ssl,
-      ssl_version:                   ssl_version,
-      proxies:                       datastore['PROXIES'],
-      framework:                     framework,
-      framework_module:              self,
-      vhost:                         vhost,
-      user_agent:                    datastore['UserAgent'],
-      evade_uri_encode_mode:         datastore['HTTP::uri_encode_mode'],
-      evade_uri_full_url:            datastore['HTTP::uri_full_url'],
-      evade_pad_method_uri_count:    datastore['HTTP::pad_method_uri_count'],
-      evade_pad_uri_version_count:   datastore['HTTP::pad_uri_version_count'],
-      evade_pad_method_uri_type:     datastore['HTTP::pad_method_uri_type'],
-      evade_pad_uri_version_type:    datastore['HTTP::pad_uri_version_type'],
-      evade_method_random_valid:     datastore['HTTP::method_random_valid'],
-      evade_method_random_invalid:   datastore['HTTP::method_random_invalid'],
-      evade_method_random_case:      datastore['HTTP::method_random_case'],
-      evade_version_random_valid:    datastore['HTTP::version_random_valid'],
-      evade_version_random_invalid:  datastore['HTTP::version_random_invalid'],
-      evade_uri_dir_self_reference:  datastore['HTTP::uri_dir_self_reference'],
-      evade_uri_dir_fake_relative:   datastore['HTTP::uri_dir_fake_relative'],
-      evade_uri_use_backslashes:     datastore['HTTP::uri_use_backslashes'],
-      evade_pad_fake_headers:        datastore['HTTP::pad_fake_headers'],
-      evade_pad_fake_headers_count:  datastore['HTTP::pad_fake_headers_count'],
-      evade_pad_get_params:          datastore['HTTP::pad_get_params'],
-      evade_pad_get_params_count:    datastore['HTTP::pad_get_params_count'],
-      evade_pad_post_params:         datastore['HTTP::pad_post_params'],
-      evade_pad_post_params_count:   datastore['HTTP::pad_post_params_count'],
-      evade_shuffle_get_params:      datastore['HTTP::shuffle_get_params'],
-      evade_shuffle_post_params:     datastore['HTTP::shuffle_post_params'],
-      evade_uri_fake_end:            datastore['HTTP::uri_fake_end'],
-      evade_uri_fake_params_start:   datastore['HTTP::uri_fake_params_start'],
-      evade_header_folding:          datastore['HTTP::header_folding'],
-      ntlm_domain:                   datastore['DOMAIN'],
-      digest_auth_iis:               datastore['DigestAuthIIS']
-    }.merge(conf)
+    configure_login_scanner(
+      {
+        vhost:                         vhost,
+        user_agent:                    datastore['UserAgent'],
+        evade_uri_encode_mode:         datastore['HTTP::uri_encode_mode'],
+        evade_uri_full_url:            datastore['HTTP::uri_full_url'],
+        evade_pad_method_uri_count:    datastore['HTTP::pad_method_uri_count'],
+        evade_pad_uri_version_count:   datastore['HTTP::pad_uri_version_count'],
+        evade_pad_method_uri_type:     datastore['HTTP::pad_method_uri_type'],
+        evade_pad_uri_version_type:    datastore['HTTP::pad_uri_version_type'],
+        evade_method_random_valid:     datastore['HTTP::method_random_valid'],
+        evade_method_random_invalid:   datastore['HTTP::method_random_invalid'],
+        evade_method_random_case:      datastore['HTTP::method_random_case'],
+        evade_version_random_valid:    datastore['HTTP::version_random_valid'],
+        evade_version_random_invalid:  datastore['HTTP::version_random_invalid'],
+        evade_uri_dir_self_reference:  datastore['HTTP::uri_dir_self_reference'],
+        evade_uri_dir_fake_relative:   datastore['HTTP::uri_dir_fake_relative'],
+        evade_uri_use_backslashes:     datastore['HTTP::uri_use_backslashes'],
+        evade_pad_fake_headers:        datastore['HTTP::pad_fake_headers'],
+        evade_pad_fake_headers_count:  datastore['HTTP::pad_fake_headers_count'],
+        evade_pad_get_params:          datastore['HTTP::pad_get_params'],
+        evade_pad_get_params_count:    datastore['HTTP::pad_get_params_count'],
+        evade_pad_post_params:         datastore['HTTP::pad_post_params'],
+        evade_pad_post_params_count:   datastore['HTTP::pad_post_params_count'],
+        evade_shuffle_get_params:      datastore['HTTP::shuffle_get_params'],
+        evade_shuffle_post_params:     datastore['HTTP::shuffle_post_params'],
+        evade_uri_fake_end:            datastore['HTTP::uri_fake_end'],
+        evade_uri_fake_params_start:   datastore['HTTP::uri_fake_params_start'],
+        evade_header_folding:          datastore['HTTP::header_folding'],
+        ntlm_domain:                   datastore['DOMAIN'],
+        digest_auth_iis:               datastore['DigestAuthIIS'],
+      }.merge(conf)
+    )
   end
 
   #

modules/auxiliary/scanner/acpp/login.rb

@@ -40,7 +40,6 @@ def initialize
       'DB_ALL_USERS',
       'DB_ALL_CREDS',
       'DB_SKIP_EXISTING',
-      'PASSWORD_SPRAY',
       'USERNAME',
       'USERPASS_FILE',
       'USER_FILE',
@@ -61,23 +60,25 @@ def run_host(ip)
     cred_collection = prepend_db_passwords(cred_collection)
 
     scanner = Metasploit::Framework::LoginScanner::ACPP.new(
-      host: ip,
-      port: rport,
-      proxies: datastore['PROXIES'],
-      cred_details: cred_collection,
-      stop_on_success: datastore['STOP_ON_SUCCESS'],
-      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
-      connection_timeout: datastore['ConnectTimeout'],
-      max_send_size: datastore['TCP::max_send_size'],
-      send_delay: datastore['TCP::send_delay'],
-      framework: framework,
-      framework_module: self,
-      ssl: datastore['SSL'],
-      ssl_version: datastore['SSLVersion'],
-      ssl_verify_mode: datastore['SSLVerifyMode'],
-      ssl_cipher: datastore['SSLCipher'],
-      local_port: datastore['CPORT'],
-      local_host: datastore['CHOST']
+      configure_login_scanner(
+        host: ip,
+        port: rport,
+        proxies: datastore['PROXIES'],
+        cred_details: cred_collection,
+        stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
+        connection_timeout: datastore['ConnectTimeout'],
+        max_send_size: datastore['TCP::max_send_size'],
+        send_delay: datastore['TCP::send_delay'],
+        framework: framework,
+        framework_module: self,
+        ssl: datastore['SSL'],
+        ssl_version: datastore['SSLVersion'],
+        ssl_verify_mode: datastore['SSLVerifyMode'],
+        ssl_cipher: datastore['SSLCipher'],
+        local_port: datastore['CPORT'],
+        local_host: datastore['CHOST']
+      )
     )
 
     scanner.scan! do |result|

modules/auxiliary/scanner/afp/afp_login.rb

@@ -36,8 +36,6 @@ def initialize(info={})
         OptBool.new('RECORD_GUEST', [ false, "Record guest login to the database", false]),
         OptBool.new('CHECK_GUEST', [ false, "Check for guest login", true])
       ], self)
-
-    deregister_options('PASSWORD_SPRAY')
   end
 
   def run_host(ip)
@@ -49,6 +47,7 @@ def run_host(ip)
     )
 
     scanner = Metasploit::Framework::LoginScanner::AFP.new(
+      configure_login_scanner(
         host: ip,
         port: rport,
         proxies: datastore['PROXIES'],
@@ -66,6 +65,7 @@ def run_host(ip)
         ssl_cipher: datastore['SSLCipher'],
         local_port: datastore['CPORT'],
         local_host: datastore['CHOST']
+      )
     )
 
     scanner.scan! do |result|

modules/auxiliary/scanner/db2/db2_auth.rb

@@ -36,8 +36,6 @@ def initialize
         OptPath.new('PASS_FILE',  [ false, "File containing passwords, one per line",
           File.join(Msf::Config.data_directory, "wordlists", "db2_default_pass.txt") ]),
       ])
-
-    deregister_options('PASSWORD_SPRAY')
   end
 
   def run_host(ip)
@@ -48,6 +46,7 @@ def run_host(ip)
     )
 
     scanner = Metasploit::Framework::LoginScanner::DB2.new(
+      configure_login_scanner(
         host: ip,
         port: rport,
         proxies: datastore['PROXIES'],
@@ -65,6 +64,7 @@ def run_host(ip)
         ssl_cipher: datastore['SSLCipher'],
         local_port: datastore['CPORT'],
         local_host: datastore['CHOST']
+      )
     )
 
     scanner.scan! do |result|

modules/auxiliary/scanner/ftp/ftp_login.rb

@@ -49,7 +49,7 @@ def initialize
       ]
     )
 
-    deregister_options('FTPUSER','FTPPASS', 'PASSWORD_SPRAY') # Can use these, but should use 'username' and 'password'
+    deregister_options('FTPUSER','FTPPASS') # Can use these, but should use 'username' and 'password'
     @accepts_all_logins = {}
   end
 
@@ -64,6 +64,7 @@ def run_host(ip)
     )
 
     scanner = Metasploit::Framework::LoginScanner::FTP.new(
+      configure_login_scanner(
         host: ip,
         port: rport,
         proxies: datastore['PROXIES'],
@@ -82,6 +83,7 @@ def run_host(ip)
         ssl_cipher: datastore['SSLCipher'],
         local_port: datastore['CPORT'],
         local_host: datastore['CHOST']
+      )
     )
 
     scanner.scan! do |result|

modules/auxiliary/scanner/http/advantech_webaccess_login.rb

@@ -31,8 +31,6 @@ def initialize(info={})
         OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']),
         OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:[empty]', false])
       ])
-
-    deregister_options('PASSWORD_SPRAY')
   end
 
 

modules/auxiliary/scanner/http/appletv_login.rb

@@ -53,7 +53,7 @@ def initialize
     deregister_options(
         'USERNAME', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING',
         'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2',
-        'REMOVE_USERPASS_FILE', 'REMOVE_USER_FILE', 'DOMAIN', 'HttpUsername', 'PASSWORD_SPRAY'
+        'REMOVE_USERPASS_FILE', 'REMOVE_USER_FILE', 'DOMAIN', 'HttpUsername'
     )
   end
 
@@ -124,4 +124,3 @@ def each
     end
   end
 end
-

modules/auxiliary/scanner/http/axis_login.rb

@@ -38,8 +38,6 @@ def initialize
       Opt::RPORT(8080),
       OptString.new('TARGETURI', [false, 'Path to the Apache Axis Administration page', '/axis2/axis2-admin/login']),
     ])
-
-    deregister_options('PASSWORD_SPRAY')
   end
 
   # For print_* methods

modules/auxiliary/scanner/http/azure_ad_login.rb

@@ -41,7 +41,7 @@ def initialize
       ]
     )
 
-    deregister_options('PASSWORD_SPRAY', 'VHOST', 'USER_AS_PASS',
+    deregister_options('VHOST', 'USER_AS_PASS',
                        'USERPASS_FILE', 'STOP_ON_SUCCESS', 'Proxies',
                        'DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS',
                        'BLANK_PASSWORDS', 'RHOSTS')

modules/auxiliary/scanner/http/bavision_cam_login.rb

@@ -28,8 +28,6 @@ def initialize(info={})
       [
         OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:123456', false])
       ])
-
-    deregister_options('PASSWORD_SPRAY')
   end
 
 

modules/auxiliary/scanner/http/buffalo_login.rb

@@ -27,8 +27,6 @@ def initialize
       [
         Opt::RPORT(80)
       ])
-
-    deregister_options('PASSWORD_SPRAY')
   end
 
   def run_host(ip)

modules/auxiliary/scanner/http/caidao_bruteforce_login.rb

@@ -38,7 +38,7 @@ def initialize(info = {})
       ])
 
     # caidao does not have an username, there's only password
-    deregister_options('HttpUsername', 'HttpPassword', 'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'DB_ALL_USERS', 'PASSWORD_SPRAY')
+    deregister_options('HttpUsername', 'HttpPassword', 'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'DB_ALL_USERS')
   end
 
   def scanner(ip)

modules/auxiliary/scanner/http/chef_webui_login.rb

@@ -38,8 +38,6 @@ def initialize
         OptString.new('PASSWORD', [false, 'The password to specify for authentication', '']),
         OptString.new('TARGETURI', [ true,  'The path to the Chef Web UI application', '/']),
       ])
-
-    deregister_options('PASSWORD_SPRAY')
   end
 
   #

modules/auxiliary/scanner/http/cisco_firepower_login.rb

@@ -34,8 +34,6 @@ def initialize(info={})
         OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),
         OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:Admin123', false])
       ])
-
-    deregister_options('PASSWORD_SPRAY')
   end
 
 

modules/auxiliary/scanner/http/directadmin_login.rb

@@ -32,8 +32,6 @@ def initialize(info={})
         OptString.new('USERNAME', [false, 'The username to specify for authentication', '']),
         OptString.new('PASSWORD', [false, 'The password to specify for authentication', '']),
       ])
-
-    deregister_options('PASSWORD_SPRAY')
   end
 
 

modules/auxiliary/scanner/http/gitlab_login.rb

@@ -32,8 +32,6 @@ def initialize
         OptString.new('TARGETURI', [true, 'The path to GitLab', '/'])
       ])
 
-    deregister_options('PASSWORD_SPRAY')
-
     register_autofilter_ports([ 80, 443 ])
   end
 

modules/auxiliary/scanner/http/glassfish_login.rb

@@ -41,8 +41,6 @@ def initialize
         Opt::RPORT(4848),
         OptString.new('USERNAME',[true, 'A specific username to authenticate as','admin']),
       ])
-
-    deregister_options('PASSWORD_SPRAY')
   end
 
   #

modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb

@@ -36,8 +36,6 @@ def initialize(info={})
       OptString.new('CPQLOGIN', [true, 'The homepage of the login', '/cpqlogin.htm']),
       OptString.new('LOGIN_REDIRECT', [true, 'The URL to redirect to', '/cpqlogin'])
     ])
-
-    deregister_options('PASSWORD_SPRAY')
   end
 
   def get_version(res)
@@ -199,4 +197,3 @@ def run_host(ip)
     bruteforce(ip)
   end
 end
-

modules/auxiliary/scanner/http/http_login.rb

@@ -50,7 +50,7 @@ def initialize
       ]
     )
 
-    deregister_options('USERNAME', 'PASSWORD', 'PASSWORD_SPRAY')
+    deregister_options('USERNAME', 'PASSWORD')
   end
 
   def to_uri(uri)