From bb473f4004b26a12fdd28569fcfa941b53cfcc08 Mon Sep 17 00:00:00 2001 From: cgranleese-r7 Date: Fri, 3 May 2024 10:45:37 +0100 Subject: [PATCH] Reimplement password_spray into login modules --- lib/msf/core/auxiliary/auth_brute.rb | 2 + lib/msf/core/auxiliary/login_scanner.rb | 31 ++++++++ lib/msf/core/exploit/remote/http_client.rb | 74 +++++++++---------- modules/auxiliary/scanner/acpp/login.rb | 37 +++++----- modules/auxiliary/scanner/afp/afp_login.rb | 4 +- modules/auxiliary/scanner/db2/db2_auth.rb | 4 +- modules/auxiliary/scanner/ftp/ftp_login.rb | 4 +- .../scanner/http/advantech_webaccess_login.rb | 2 - .../auxiliary/scanner/http/appletv_login.rb | 3 +- modules/auxiliary/scanner/http/axis_login.rb | 2 - .../auxiliary/scanner/http/azure_ad_login.rb | 2 +- .../scanner/http/bavision_cam_login.rb | 2 - .../auxiliary/scanner/http/buffalo_login.rb | 2 - .../scanner/http/caidao_bruteforce_login.rb | 2 +- .../scanner/http/chef_webui_login.rb | 2 - .../scanner/http/cisco_firepower_login.rb | 2 - .../scanner/http/directadmin_login.rb | 2 - .../auxiliary/scanner/http/gitlab_login.rb | 2 - .../auxiliary/scanner/http/glassfish_login.rb | 2 - .../scanner/http/hp_sys_mgmt_login.rb | 3 - modules/auxiliary/scanner/http/http_login.rb | 2 +- .../auxiliary/scanner/http/ipboard_login.rb | 2 - .../auxiliary/scanner/http/jenkins_login.rb | 2 - .../auxiliary/scanner/http/jupyter_login.rb | 2 +- .../manageengine_desktop_central_login.rb | 2 - .../scanner/http/mybook_live_login.rb | 2 +- .../scanner/http/octopusdeploy_login.rb | 2 - .../scanner/http/phpmyadmin_login.rb | 2 - .../scanner/http/softing_sis_login.rb | 2 - .../http/symantec_web_gateway_login.rb | 2 - .../scanner/http/syncovery_linux_login.rb | 2 - .../syncovery_linux_token_cve_2022_36536.rb | 16 ++-- .../scanner/http/tomcat_mgr_login.rb | 2 - .../scanner/http/wordpress_multicall_creds.rb | 2 +- .../scanner/http/wordpress_xmlrpc_login.rb | 2 +- .../auxiliary/scanner/http/zabbix_login.rb | 2 - modules/auxiliary/scanner/ldap/ldap_login.rb | 25 ++++--- .../misc/freeswitch_event_socket_login.rb | 14 ++-- modules/auxiliary/scanner/mqtt/connect.rb | 42 +++++------ .../auxiliary/scanner/mssql/mssql_login.rb | 5 +- .../auxiliary/scanner/mysql/mysql_login.rb | 8 +- .../scanner/nessus/nessus_rest_login.rb | 2 +- modules/auxiliary/scanner/pop3/pop3_login.rb | 36 ++++----- .../scanner/postgres/postgres_login.rb | 24 +++--- .../auxiliary/scanner/redis/redis_login.rb | 16 ++-- .../auxiliary/scanner/sage/x3_adxsrv_login.rb | 26 ++++--- modules/auxiliary/scanner/smb/smb_login.rb | 34 +++++---- modules/auxiliary/scanner/snmp/snmp_login.rb | 4 +- modules/auxiliary/scanner/ssh/karaf_login.rb | 20 ++--- modules/auxiliary/scanner/ssh/ssh_login.rb | 24 +++--- .../auxiliary/scanner/ssh/ssh_login_pubkey.rb | 24 +++--- .../scanner/telnet/brocade_enable_login.rb | 4 +- .../auxiliary/scanner/telnet/telnet_login.rb | 4 +- .../scanner/varnish/varnish_cli_login.rb | 19 +++-- .../auxiliary/scanner/vmware/vmauthd_login.rb | 38 +++++----- modules/auxiliary/scanner/vnc/vnc_login.rb | 4 +- .../auxiliary/scanner/winrm/winrm_login.rb | 26 +++---- 57 files changed, 317 insertions(+), 312 deletions(-) create mode 100644 lib/msf/core/auxiliary/login_scanner.rb diff --git a/lib/msf/core/auxiliary/auth_brute.rb b/lib/msf/core/auxiliary/auth_brute.rb index 67a4c2cc2434..9008aa18ad51 100644 --- a/lib/msf/core/auxiliary/auth_brute.rb +++ b/lib/msf/core/auxiliary/auth_brute.rb @@ -9,6 +9,8 @@ module Msf module Auxiliary::AuthBrute + include Msf::Auxiliary::LoginScanner + def initialize(info = {}) super diff --git a/lib/msf/core/auxiliary/login_scanner.rb b/lib/msf/core/auxiliary/login_scanner.rb new file mode 100644 index 000000000000..5c82598e25b8 --- /dev/null +++ b/lib/msf/core/auxiliary/login_scanner.rb @@ -0,0 +1,31 @@ +# -*- coding: binary -*- + +module Msf + class Auxiliary + ### + # + # This module provides a base configure scanner method for binding common datastore options to the login scanners + # + ### + module LoginScanner + # + # Converts datastore options into configuration parameters for the + # Msf::Auxiliary::LoginScanner. Any parameters passed into + # this method will override the defaults. + # + def configure_login_scanner(conf) + { + host: datastore['RHOST'], + port: datastore['RPORT'], + proxies: datastore['Proxies'], + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + framework: framework, + framework_module: self, + local_port: datastore['CPORT'], + local_host: datastore['CHOST'], + }.merge(conf) + end + end + end +end diff --git a/lib/msf/core/exploit/remote/http_client.rb b/lib/msf/core/exploit/remote/http_client.rb index e6da3d68f624..677f2b6051bd 100644 --- a/lib/msf/core/exploit/remote/http_client.rb +++ b/lib/msf/core/exploit/remote/http_client.rb @@ -14,6 +14,7 @@ module Msf module Exploit::Remote::HttpClient include Msf::Auxiliary::Report + include Msf::Auxiliary::LoginScanner # # Initializes an exploit module that exploits a vulnerability in an HTTP @@ -152,7 +153,7 @@ def connect(opts={}) client_password = opts['password'] || datastore['HttpPassword'] || '' http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: self) - + nclient = Rex::Proto::Http::Client.new( opts['rhost'] || rhost, (opts['rport'] || rport).to_i, @@ -270,44 +271,39 @@ def connect_ws(opts={}, timeout = 20) # this method will override the defaults. # def configure_http_login_scanner(conf) - { - host: rhost, - port: rport, - ssl: ssl, - ssl_version: ssl_version, - proxies: datastore['PROXIES'], - framework: framework, - framework_module: self, - vhost: vhost, - user_agent: datastore['UserAgent'], - evade_uri_encode_mode: datastore['HTTP::uri_encode_mode'], - evade_uri_full_url: datastore['HTTP::uri_full_url'], - evade_pad_method_uri_count: datastore['HTTP::pad_method_uri_count'], - evade_pad_uri_version_count: datastore['HTTP::pad_uri_version_count'], - evade_pad_method_uri_type: datastore['HTTP::pad_method_uri_type'], - evade_pad_uri_version_type: datastore['HTTP::pad_uri_version_type'], - evade_method_random_valid: datastore['HTTP::method_random_valid'], - evade_method_random_invalid: datastore['HTTP::method_random_invalid'], - evade_method_random_case: datastore['HTTP::method_random_case'], - evade_version_random_valid: datastore['HTTP::version_random_valid'], - evade_version_random_invalid: datastore['HTTP::version_random_invalid'], - evade_uri_dir_self_reference: datastore['HTTP::uri_dir_self_reference'], - evade_uri_dir_fake_relative: datastore['HTTP::uri_dir_fake_relative'], - evade_uri_use_backslashes: datastore['HTTP::uri_use_backslashes'], - evade_pad_fake_headers: datastore['HTTP::pad_fake_headers'], - evade_pad_fake_headers_count: datastore['HTTP::pad_fake_headers_count'], - evade_pad_get_params: datastore['HTTP::pad_get_params'], - evade_pad_get_params_count: datastore['HTTP::pad_get_params_count'], - evade_pad_post_params: datastore['HTTP::pad_post_params'], - evade_pad_post_params_count: datastore['HTTP::pad_post_params_count'], - evade_shuffle_get_params: datastore['HTTP::shuffle_get_params'], - evade_shuffle_post_params: datastore['HTTP::shuffle_post_params'], - evade_uri_fake_end: datastore['HTTP::uri_fake_end'], - evade_uri_fake_params_start: datastore['HTTP::uri_fake_params_start'], - evade_header_folding: datastore['HTTP::header_folding'], - ntlm_domain: datastore['DOMAIN'], - digest_auth_iis: datastore['DigestAuthIIS'] - }.merge(conf) + configure_login_scanner( + { + vhost: vhost, + user_agent: datastore['UserAgent'], + evade_uri_encode_mode: datastore['HTTP::uri_encode_mode'], + evade_uri_full_url: datastore['HTTP::uri_full_url'], + evade_pad_method_uri_count: datastore['HTTP::pad_method_uri_count'], + evade_pad_uri_version_count: datastore['HTTP::pad_uri_version_count'], + evade_pad_method_uri_type: datastore['HTTP::pad_method_uri_type'], + evade_pad_uri_version_type: datastore['HTTP::pad_uri_version_type'], + evade_method_random_valid: datastore['HTTP::method_random_valid'], + evade_method_random_invalid: datastore['HTTP::method_random_invalid'], + evade_method_random_case: datastore['HTTP::method_random_case'], + evade_version_random_valid: datastore['HTTP::version_random_valid'], + evade_version_random_invalid: datastore['HTTP::version_random_invalid'], + evade_uri_dir_self_reference: datastore['HTTP::uri_dir_self_reference'], + evade_uri_dir_fake_relative: datastore['HTTP::uri_dir_fake_relative'], + evade_uri_use_backslashes: datastore['HTTP::uri_use_backslashes'], + evade_pad_fake_headers: datastore['HTTP::pad_fake_headers'], + evade_pad_fake_headers_count: datastore['HTTP::pad_fake_headers_count'], + evade_pad_get_params: datastore['HTTP::pad_get_params'], + evade_pad_get_params_count: datastore['HTTP::pad_get_params_count'], + evade_pad_post_params: datastore['HTTP::pad_post_params'], + evade_pad_post_params_count: datastore['HTTP::pad_post_params_count'], + evade_shuffle_get_params: datastore['HTTP::shuffle_get_params'], + evade_shuffle_post_params: datastore['HTTP::shuffle_post_params'], + evade_uri_fake_end: datastore['HTTP::uri_fake_end'], + evade_uri_fake_params_start: datastore['HTTP::uri_fake_params_start'], + evade_header_folding: datastore['HTTP::header_folding'], + ntlm_domain: datastore['DOMAIN'], + digest_auth_iis: datastore['DigestAuthIIS'], + }.merge(conf) + ) end # diff --git a/modules/auxiliary/scanner/acpp/login.rb b/modules/auxiliary/scanner/acpp/login.rb index c541266c1b15..042ceb7405c4 100644 --- a/modules/auxiliary/scanner/acpp/login.rb +++ b/modules/auxiliary/scanner/acpp/login.rb @@ -40,7 +40,6 @@ def initialize 'DB_ALL_USERS', 'DB_ALL_CREDS', 'DB_SKIP_EXISTING', - 'PASSWORD_SPRAY', 'USERNAME', 'USERPASS_FILE', 'USER_FILE', @@ -61,23 +60,25 @@ def run_host(ip) cred_collection = prepend_db_passwords(cred_collection) scanner = Metasploit::Framework::LoginScanner::ACPP.new( - host: ip, - port: rport, - proxies: datastore['PROXIES'], - cred_details: cred_collection, - stop_on_success: datastore['STOP_ON_SUCCESS'], - bruteforce_speed: datastore['BRUTEFORCE_SPEED'], - connection_timeout: datastore['ConnectTimeout'], - max_send_size: datastore['TCP::max_send_size'], - send_delay: datastore['TCP::send_delay'], - framework: framework, - framework_module: self, - ssl: datastore['SSL'], - ssl_version: datastore['SSLVersion'], - ssl_verify_mode: datastore['SSLVerifyMode'], - ssl_cipher: datastore['SSLCipher'], - local_port: datastore['CPORT'], - local_host: datastore['CHOST'] + configure_login_scanner( + host: ip, + port: rport, + proxies: datastore['PROXIES'], + cred_details: cred_collection, + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + connection_timeout: datastore['ConnectTimeout'], + max_send_size: datastore['TCP::max_send_size'], + send_delay: datastore['TCP::send_delay'], + framework: framework, + framework_module: self, + ssl: datastore['SSL'], + ssl_version: datastore['SSLVersion'], + ssl_verify_mode: datastore['SSLVerifyMode'], + ssl_cipher: datastore['SSLCipher'], + local_port: datastore['CPORT'], + local_host: datastore['CHOST'] + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/afp/afp_login.rb b/modules/auxiliary/scanner/afp/afp_login.rb index d32718cc5ac7..4d89c8a50929 100644 --- a/modules/auxiliary/scanner/afp/afp_login.rb +++ b/modules/auxiliary/scanner/afp/afp_login.rb @@ -36,8 +36,6 @@ def initialize(info={}) OptBool.new('RECORD_GUEST', [ false, "Record guest login to the database", false]), OptBool.new('CHECK_GUEST', [ false, "Check for guest login", true]) ], self) - - deregister_options('PASSWORD_SPRAY') end def run_host(ip) @@ -49,6 +47,7 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::AFP.new( + configure_login_scanner( host: ip, port: rport, proxies: datastore['PROXIES'], @@ -66,6 +65,7 @@ def run_host(ip) ssl_cipher: datastore['SSLCipher'], local_port: datastore['CPORT'], local_host: datastore['CHOST'] + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/db2/db2_auth.rb b/modules/auxiliary/scanner/db2/db2_auth.rb index 26bb85ece9f0..ba5ad5a1038d 100644 --- a/modules/auxiliary/scanner/db2/db2_auth.rb +++ b/modules/auxiliary/scanner/db2/db2_auth.rb @@ -36,8 +36,6 @@ def initialize OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", File.join(Msf::Config.data_directory, "wordlists", "db2_default_pass.txt") ]), ]) - - deregister_options('PASSWORD_SPRAY') end def run_host(ip) @@ -48,6 +46,7 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::DB2.new( + configure_login_scanner( host: ip, port: rport, proxies: datastore['PROXIES'], @@ -65,6 +64,7 @@ def run_host(ip) ssl_cipher: datastore['SSLCipher'], local_port: datastore['CPORT'], local_host: datastore['CHOST'] + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/ftp/ftp_login.rb b/modules/auxiliary/scanner/ftp/ftp_login.rb index 107feea01a51..f189256fc386 100644 --- a/modules/auxiliary/scanner/ftp/ftp_login.rb +++ b/modules/auxiliary/scanner/ftp/ftp_login.rb @@ -49,7 +49,7 @@ def initialize ] ) - deregister_options('FTPUSER','FTPPASS', 'PASSWORD_SPRAY') # Can use these, but should use 'username' and 'password' + deregister_options('FTPUSER','FTPPASS') # Can use these, but should use 'username' and 'password' @accepts_all_logins = {} end @@ -64,6 +64,7 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::FTP.new( + configure_login_scanner( host: ip, port: rport, proxies: datastore['PROXIES'], @@ -82,6 +83,7 @@ def run_host(ip) ssl_cipher: datastore['SSLCipher'], local_port: datastore['CPORT'], local_host: datastore['CHOST'] + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/http/advantech_webaccess_login.rb b/modules/auxiliary/scanner/http/advantech_webaccess_login.rb index 20c4a4225972..acda1846d7ae 100644 --- a/modules/auxiliary/scanner/http/advantech_webaccess_login.rb +++ b/modules/auxiliary/scanner/http/advantech_webaccess_login.rb @@ -31,8 +31,6 @@ def initialize(info={}) OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']), OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:[empty]', false]) ]) - - deregister_options('PASSWORD_SPRAY') end diff --git a/modules/auxiliary/scanner/http/appletv_login.rb b/modules/auxiliary/scanner/http/appletv_login.rb index bd3bd93f24bd..ad3a24905c6e 100644 --- a/modules/auxiliary/scanner/http/appletv_login.rb +++ b/modules/auxiliary/scanner/http/appletv_login.rb @@ -53,7 +53,7 @@ def initialize deregister_options( 'USERNAME', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING', 'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', - 'REMOVE_USERPASS_FILE', 'REMOVE_USER_FILE', 'DOMAIN', 'HttpUsername', 'PASSWORD_SPRAY' + 'REMOVE_USERPASS_FILE', 'REMOVE_USER_FILE', 'DOMAIN', 'HttpUsername' ) end @@ -124,4 +124,3 @@ def each end end end - diff --git a/modules/auxiliary/scanner/http/axis_login.rb b/modules/auxiliary/scanner/http/axis_login.rb index b7c763ad08ac..01d8529329cb 100644 --- a/modules/auxiliary/scanner/http/axis_login.rb +++ b/modules/auxiliary/scanner/http/axis_login.rb @@ -38,8 +38,6 @@ def initialize Opt::RPORT(8080), OptString.new('TARGETURI', [false, 'Path to the Apache Axis Administration page', '/axis2/axis2-admin/login']), ]) - - deregister_options('PASSWORD_SPRAY') end # For print_* methods diff --git a/modules/auxiliary/scanner/http/azure_ad_login.rb b/modules/auxiliary/scanner/http/azure_ad_login.rb index 80980f8963bd..51a6810880c9 100644 --- a/modules/auxiliary/scanner/http/azure_ad_login.rb +++ b/modules/auxiliary/scanner/http/azure_ad_login.rb @@ -41,7 +41,7 @@ def initialize ] ) - deregister_options('PASSWORD_SPRAY', 'VHOST', 'USER_AS_PASS', + deregister_options('VHOST', 'USER_AS_PASS', 'USERPASS_FILE', 'STOP_ON_SUCCESS', 'Proxies', 'DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS', 'BLANK_PASSWORDS', 'RHOSTS') diff --git a/modules/auxiliary/scanner/http/bavision_cam_login.rb b/modules/auxiliary/scanner/http/bavision_cam_login.rb index be59bbe5eb09..36f6c800bdc2 100644 --- a/modules/auxiliary/scanner/http/bavision_cam_login.rb +++ b/modules/auxiliary/scanner/http/bavision_cam_login.rb @@ -28,8 +28,6 @@ def initialize(info={}) [ OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:123456', false]) ]) - - deregister_options('PASSWORD_SPRAY') end diff --git a/modules/auxiliary/scanner/http/buffalo_login.rb b/modules/auxiliary/scanner/http/buffalo_login.rb index 756f26f41ba4..bc002fb1bb58 100644 --- a/modules/auxiliary/scanner/http/buffalo_login.rb +++ b/modules/auxiliary/scanner/http/buffalo_login.rb @@ -27,8 +27,6 @@ def initialize [ Opt::RPORT(80) ]) - - deregister_options('PASSWORD_SPRAY') end def run_host(ip) diff --git a/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb b/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb index ef8a04216f8f..7b950d4c7fc3 100644 --- a/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb +++ b/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb @@ -38,7 +38,7 @@ def initialize(info = {}) ]) # caidao does not have an username, there's only password - deregister_options('HttpUsername', 'HttpPassword', 'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'DB_ALL_USERS', 'PASSWORD_SPRAY') + deregister_options('HttpUsername', 'HttpPassword', 'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'DB_ALL_USERS') end def scanner(ip) diff --git a/modules/auxiliary/scanner/http/chef_webui_login.rb b/modules/auxiliary/scanner/http/chef_webui_login.rb index 8added35f199..3374b214e524 100644 --- a/modules/auxiliary/scanner/http/chef_webui_login.rb +++ b/modules/auxiliary/scanner/http/chef_webui_login.rb @@ -38,8 +38,6 @@ def initialize OptString.new('PASSWORD', [false, 'The password to specify for authentication', '']), OptString.new('TARGETURI', [ true, 'The path to the Chef Web UI application', '/']), ]) - - deregister_options('PASSWORD_SPRAY') end # diff --git a/modules/auxiliary/scanner/http/cisco_firepower_login.rb b/modules/auxiliary/scanner/http/cisco_firepower_login.rb index 082a5de46dc0..a598016755db 100644 --- a/modules/auxiliary/scanner/http/cisco_firepower_login.rb +++ b/modules/auxiliary/scanner/http/cisco_firepower_login.rb @@ -34,8 +34,6 @@ def initialize(info={}) OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']), OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:Admin123', false]) ]) - - deregister_options('PASSWORD_SPRAY') end diff --git a/modules/auxiliary/scanner/http/directadmin_login.rb b/modules/auxiliary/scanner/http/directadmin_login.rb index c70c0d93e5a6..80df8e373ef2 100644 --- a/modules/auxiliary/scanner/http/directadmin_login.rb +++ b/modules/auxiliary/scanner/http/directadmin_login.rb @@ -32,8 +32,6 @@ def initialize(info={}) OptString.new('USERNAME', [false, 'The username to specify for authentication', '']), OptString.new('PASSWORD', [false, 'The password to specify for authentication', '']), ]) - - deregister_options('PASSWORD_SPRAY') end diff --git a/modules/auxiliary/scanner/http/gitlab_login.rb b/modules/auxiliary/scanner/http/gitlab_login.rb index 794adfda1da4..e9b42d8f29fb 100644 --- a/modules/auxiliary/scanner/http/gitlab_login.rb +++ b/modules/auxiliary/scanner/http/gitlab_login.rb @@ -32,8 +32,6 @@ def initialize OptString.new('TARGETURI', [true, 'The path to GitLab', '/']) ]) - deregister_options('PASSWORD_SPRAY') - register_autofilter_ports([ 80, 443 ]) end diff --git a/modules/auxiliary/scanner/http/glassfish_login.rb b/modules/auxiliary/scanner/http/glassfish_login.rb index 0606fb1ad1a9..e98035258bc8 100644 --- a/modules/auxiliary/scanner/http/glassfish_login.rb +++ b/modules/auxiliary/scanner/http/glassfish_login.rb @@ -41,8 +41,6 @@ def initialize Opt::RPORT(4848), OptString.new('USERNAME',[true, 'A specific username to authenticate as','admin']), ]) - - deregister_options('PASSWORD_SPRAY') end # diff --git a/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb b/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb index 0eac188b7984..2e2c98b6fe31 100644 --- a/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb +++ b/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb @@ -36,8 +36,6 @@ def initialize(info={}) OptString.new('CPQLOGIN', [true, 'The homepage of the login', '/cpqlogin.htm']), OptString.new('LOGIN_REDIRECT', [true, 'The URL to redirect to', '/cpqlogin']) ]) - - deregister_options('PASSWORD_SPRAY') end def get_version(res) @@ -199,4 +197,3 @@ def run_host(ip) bruteforce(ip) end end - diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb index f56c8076a20d..b9260700c34d 100644 --- a/modules/auxiliary/scanner/http/http_login.rb +++ b/modules/auxiliary/scanner/http/http_login.rb @@ -50,7 +50,7 @@ def initialize ] ) - deregister_options('USERNAME', 'PASSWORD', 'PASSWORD_SPRAY') + deregister_options('USERNAME', 'PASSWORD') end def to_uri(uri) diff --git a/modules/auxiliary/scanner/http/ipboard_login.rb b/modules/auxiliary/scanner/http/ipboard_login.rb index 2169f5e69bce..c02b4f0af72d 100644 --- a/modules/auxiliary/scanner/http/ipboard_login.rb +++ b/modules/auxiliary/scanner/http/ipboard_login.rb @@ -26,8 +26,6 @@ def initialize register_options([ OptString.new('TARGETURI', [true, "The directory of the IP Board install", "/forum/"]), ]) - - deregister_options('PASSWORD_SPRAY') end def run_host(ip) diff --git a/modules/auxiliary/scanner/http/jenkins_login.rb b/modules/auxiliary/scanner/http/jenkins_login.rb index b2937c74db3e..c652808abee0 100644 --- a/modules/auxiliary/scanner/http/jenkins_login.rb +++ b/modules/auxiliary/scanner/http/jenkins_login.rb @@ -28,8 +28,6 @@ def initialize OptString.new('TARGETURI', [ false, 'The path to the Jenkins-CI application']) ]) - deregister_options('PASSWORD_SPRAY') - register_autofilter_ports([ 80, 443, 8080, 8081, 8000 ]) end diff --git a/modules/auxiliary/scanner/http/jupyter_login.rb b/modules/auxiliary/scanner/http/jupyter_login.rb index 014cddd3f79d..0a9b9acd5fce 100644 --- a/modules/auxiliary/scanner/http/jupyter_login.rb +++ b/modules/auxiliary/scanner/http/jupyter_login.rb @@ -33,7 +33,7 @@ def initialize deregister_options( 'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING', - 'HttpUsername', 'PASSWORD_SPRAY', 'STOP_ON_SUCCESS', 'USERNAME', 'USERPASS_FILE', 'USER_AS_PASS', 'USER_FILE' + 'HttpUsername', 'STOP_ON_SUCCESS', 'USERNAME', 'USERPASS_FILE', 'USER_AS_PASS', 'USER_FILE' ) register_autofilter_ports([ 80, 443, 8888 ]) diff --git a/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb b/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb index 9c885121da97..9c8953305836 100644 --- a/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb +++ b/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb @@ -22,8 +22,6 @@ def initialize(info={}) 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 8020} )) - - deregister_options('PASSWORD_SPRAY') end diff --git a/modules/auxiliary/scanner/http/mybook_live_login.rb b/modules/auxiliary/scanner/http/mybook_live_login.rb index 9f7cbaa178f9..f71436e8b5ea 100644 --- a/modules/auxiliary/scanner/http/mybook_live_login.rb +++ b/modules/auxiliary/scanner/http/mybook_live_login.rb @@ -30,7 +30,7 @@ def initialize # username is hardcoded into application deregister_options( 'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING', - 'USERNAME', 'USER_FILE', 'USER_AS_PASS', 'PASSWORD_SPRAY') + 'USERNAME', 'USER_FILE', 'USER_AS_PASS') end def setup diff --git a/modules/auxiliary/scanner/http/octopusdeploy_login.rb b/modules/auxiliary/scanner/http/octopusdeploy_login.rb index df2eff350451..aef236797bc5 100644 --- a/modules/auxiliary/scanner/http/octopusdeploy_login.rb +++ b/modules/auxiliary/scanner/http/octopusdeploy_login.rb @@ -28,8 +28,6 @@ def initialize Opt::RPORT(80), OptString.new('TARGETURI', [true, 'URI for login. Default is /api/users/login', '/api/users/login']) ]) - - deregister_options('PASSWORD_SPRAY') end def run_host(ip) diff --git a/modules/auxiliary/scanner/http/phpmyadmin_login.rb b/modules/auxiliary/scanner/http/phpmyadmin_login.rb index 05d482f2a3a6..b4531a1609b5 100644 --- a/modules/auxiliary/scanner/http/phpmyadmin_login.rb +++ b/modules/auxiliary/scanner/http/phpmyadmin_login.rb @@ -34,8 +34,6 @@ def initialize(info={}) OptString.new('PASSWORD', [false, 'The password to PhpMyAdmin', '']), OptString.new('TARGETURI', [true, 'The path to PhpMyAdmin', '/index.php']) ]) - - deregister_options('PASSWORD_SPRAY') end def scanner(ip) diff --git a/modules/auxiliary/scanner/http/softing_sis_login.rb b/modules/auxiliary/scanner/http/softing_sis_login.rb index 288a883ad66e..d4f02dba6089 100644 --- a/modules/auxiliary/scanner/http/softing_sis_login.rb +++ b/modules/auxiliary/scanner/http/softing_sis_login.rb @@ -36,8 +36,6 @@ def initialize(info = {}) ) ) - deregister_options('PASSWORD_SPRAY') - # credentials are "admin:admin" by default register_options( [ diff --git a/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb b/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb index cca069238524..93f1369aebd9 100644 --- a/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb +++ b/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb @@ -27,8 +27,6 @@ def initialize(info={}) } )) - deregister_options('PASSWORD_SPRAY') - register_options( [ OptString.new('USERNAME', [false, 'The username to specify for authentication', '']), diff --git a/modules/auxiliary/scanner/http/syncovery_linux_login.rb b/modules/auxiliary/scanner/http/syncovery_linux_login.rb index 07c7de2c0dfd..f5c1b59648d4 100644 --- a/modules/auxiliary/scanner/http/syncovery_linux_login.rb +++ b/modules/auxiliary/scanner/http/syncovery_linux_login.rb @@ -43,8 +43,6 @@ def initialize(info = {}) OptString.new('TARGETURI', [false, 'The path to Syncovery', '/']) ] ) - - deregister_options('PASSWORD_SPRAY') end def scanner(ip) diff --git a/modules/auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536.rb b/modules/auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536.rb index e8947ddec871..ae7898672dfe 100644 --- a/modules/auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536.rb +++ b/modules/auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536.rb @@ -60,8 +60,8 @@ def initialize(info = {}) deregister_options( 'USERNAME', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING', 'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', - 'REMOVE_USERPASS_FILE', 'REMOVE_USER_FILE', 'DOMAIN', 'HttpUsername', 'PASSWORD_SPRAY', 'BLANK_PASSWORDS', - 'USER_FILE', 'USERPASS_FILE', 'PASS_FILE', 'PASSWORD' + 'REMOVE_USERPASS_FILE', 'REMOVE_USER_FILE', 'DOMAIN', 'HttpUsername', 'BLANK_PASSWORDS', 'USER_FILE', + 'USERPASS_FILE', 'PASS_FILE', 'PASSWORD' ) end @@ -124,11 +124,13 @@ def run_host(ip) print_status("#{peer.strip} - Starting Brute-Forcer") scanner = Metasploit::Framework::LoginScanner::SyncoveryFileSyncBackup.new( - host: ip, - port: rport, - cred_details: cred_collection, - stop_on_success: true, # this will have no effect due to the scanner behaviour when scanning without username - connection_timeout: 10 + configure_login_scanner( + host: ip, + port: rport, + cred_details: cred_collection, + stop_on_success: true, # this will have no effect due to the scanner behaviour when scanning without username + connection_timeout: 10 + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb index fda7b96c4aa0..9540a343e175 100644 --- a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb +++ b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb @@ -67,8 +67,6 @@ def initialize File.join(Msf::Config.data_directory, "wordlists", "tomcat_mgr_default_pass.txt") ]), ]) - deregister_options('PASSWORD_SPRAY') - register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888, 9080, 19300 ]) end diff --git a/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb b/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb index 456484cceb0d..d7c718531db2 100644 --- a/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb +++ b/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb @@ -48,7 +48,7 @@ def initialize(info = {}) # Not supporting these options, because we are not actually letting the API to process the # password list for us. We are doing that in Metasploit::Framework::LoginScanner::WordpressRPC. deregister_options( - 'BLANK_PASSWORDS', 'PASSWORD', 'USERPASS_FILE', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_SKIP_EXISTING', 'PASSWORD_SPRAY' + 'BLANK_PASSWORDS', 'PASSWORD', 'USERPASS_FILE', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_SKIP_EXISTING' ) end diff --git a/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb b/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb index b299924adbf7..4751982af13d 100644 --- a/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb +++ b/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb @@ -38,7 +38,7 @@ def initialize(info = {}) Opt::RPORT(80), ]) - deregister_options('BLANK_PASSWORDS', 'PASSWORD_SPRAY') # we don't need these options + deregister_options('BLANK_PASSWORDS') # we don't need these options end def run_host(ip) diff --git a/modules/auxiliary/scanner/http/zabbix_login.rb b/modules/auxiliary/scanner/http/zabbix_login.rb index aa9200938f00..bccf1677dbfb 100644 --- a/modules/auxiliary/scanner/http/zabbix_login.rb +++ b/modules/auxiliary/scanner/http/zabbix_login.rb @@ -27,8 +27,6 @@ def initialize 'License' => MSF_LICENSE ) - deregister_options('PASSWORD_SPRAY') - register_options( [ Opt::RPORT(80), diff --git a/modules/auxiliary/scanner/ldap/ldap_login.rb b/modules/auxiliary/scanner/ldap/ldap_login.rb index c60b79b1b039..901052767c13 100644 --- a/modules/auxiliary/scanner/ldap/ldap_login.rb +++ b/modules/auxiliary/scanner/ldap/ldap_login.rb @@ -58,8 +58,7 @@ def run_host(ip) password: datastore['PASSWORD'], realm: datastore['DOMAIN'], anonymous_login: datastore['ANONYMOUS_LOGIN'], - blank_passwords: false, - password_spray: datastore['PASSWORD_SPRAY'] + blank_passwords: false ) opts = { @@ -83,16 +82,18 @@ def run_host(ip) end scanner = Metasploit::Framework::LoginScanner::LDAP.new( - host: ip, - port: rport, - cred_details: cred_collection, - stop_on_success: datastore['STOP_ON_SUCCESS'], - bruteforce_speed: datastore['BRUTEFORCE_SPEED'], - connection_timeout: datastore['LDAP::ConnectTimeout'].to_i, - framework: framework, - framework_module: self, - realm_key: realm_key, - opts: opts + configure_login_scanner( + host: ip, + port: rport, + cred_details: cred_collection, + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + connection_timeout: datastore['LDAP::ConnectTimeout'].to_i, + framework: framework, + framework_module: self, + realm_key: realm_key, + opts: opts + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb b/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb index c3ed85937329..cdb75eddd6f4 100644 --- a/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb +++ b/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb @@ -55,7 +55,7 @@ def initialize(info = {}) deregister_options( 'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING', 'BLANK_PASSWORDS', 'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', - 'PASSWORD_SPRAY', 'STOP_ON_SUCCESS' + 'STOP_ON_SUCCESS' ) end @@ -67,11 +67,13 @@ def run_host(ip) cred_collection = prepend_db_passwords(cred_collection) scanner = Metasploit::Framework::LoginScanner::FreeswitchEventSocket.new( - host: ip, - port: rport, - cred_details: cred_collection, - stop_on_success: true, # this will have no effect due to the scanner behaviour when scanning without username - connection_timeout: 10 + configure_login_scanner( + host: ip, + port: rport, + cred_details: cred_collection, + stop_on_success: true, # this will have no effect due to the scanner behaviour when scanning without username + connection_timeout: 10 + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/mqtt/connect.rb b/modules/auxiliary/scanner/mqtt/connect.rb index d1b095941ef0..91500695a22f 100644 --- a/modules/auxiliary/scanner/mqtt/connect.rb +++ b/modules/auxiliary/scanner/mqtt/connect.rb @@ -36,8 +36,6 @@ def initialize 'PASS_FILE' => 'data/wordlists/unix_passwords.txt' } ) - - deregister_options('PASSWORD_SPRAY') end def test_login(username, password) @@ -76,25 +74,27 @@ def brute ) scanner = Metasploit::Framework::LoginScanner::MQTT.new( - host: rhost, - port: rport, - read_timeout: datastore['READ_TIMEOUT'], - client_id: client_id, - proxies: datastore['PROXIES'], - cred_details: cred_collection, - stop_on_success: datastore['STOP_ON_SUCCESS'], - bruteforce_speed: datastore['BRUTEFORCE_SPEED'], - connection_timeout: datastore['ConnectTimeout'], - max_send_size: datastore['TCP::max_send_size'], - send_delay: datastore['TCP::send_delay'], - framework: framework, - framework_module: self, - ssl: datastore['SSL'], - ssl_version: datastore['SSLVersion'], - ssl_verify_mode: datastore['SSLVerifyMode'], - ssl_cipher: datastore['SSLCipher'], - local_port: datastore['CPORT'], - local_host: datastore['CHOST'] + configure_login_scanner( + host: rhost, + port: rport, + read_timeout: datastore['READ_TIMEOUT'], + client_id: client_id, + proxies: datastore['PROXIES'], + cred_details: cred_collection, + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + connection_timeout: datastore['ConnectTimeout'], + max_send_size: datastore['TCP::max_send_size'], + send_delay: datastore['TCP::send_delay'], + framework: framework, + framework_module: self, + ssl: datastore['SSL'], + ssl_version: datastore['SSLVersion'], + ssl_verify_mode: datastore['SSLVerifyMode'], + ssl_cipher: datastore['SSLCipher'], + local_port: datastore['CPORT'], + local_host: datastore['CHOST'] + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/mssql/mssql_login.rb b/modules/auxiliary/scanner/mssql/mssql_login.rb index 20c854ed3c59..83e69d52977f 100644 --- a/modules/auxiliary/scanner/mssql/mssql_login.rb +++ b/modules/auxiliary/scanner/mssql/mssql_login.rb @@ -40,11 +40,10 @@ def initialize OptBool.new('CreateSession', [false, 'Create a new session for every successful login', false]) ]) - options_to_deregister = %w[PASSWORD_SPRAY] if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE) add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session') else - options_to_deregister << 'CreateSession' + options_to_deregister = %w[CreateSession] end deregister_options(*options_to_deregister) end @@ -92,6 +91,7 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::MSSQL.new( + configure_login_scanner( host: ip, port: rport, proxies: datastore['PROXIES'], @@ -115,6 +115,7 @@ def run_host(ip) ssl_cipher: datastore['SSLCipher'], local_port: datastore['CPORT'], local_host: datastore['CHOST'] + ) ) successful_logins = [] successful_sessions = [] diff --git a/modules/auxiliary/scanner/mysql/mysql_login.rb b/modules/auxiliary/scanner/mysql/mysql_login.rb index 076219895189..e1bc9ba44b36 100644 --- a/modules/auxiliary/scanner/mysql/mysql_login.rb +++ b/modules/auxiliary/scanner/mysql/mysql_login.rb @@ -39,11 +39,10 @@ def initialize(info = {}) OptBool.new('CreateSession', [false, 'Create a new session for every successful login', false]) ]) - options_to_deregister = %w[PASSWORD_SPRAY] if framework.features.enabled?(Msf::FeatureManager::MYSQL_SESSION_TYPE) add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session') else - options_to_deregister << 'CreateSession' + options_to_deregister = %w[CreateSession] end deregister_options(*options_to_deregister) end @@ -83,9 +82,7 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::MySQL.new( - host: ip, - port: rport, - proxies: datastore['Proxies'], + configure_login_scanner( cred_details: cred_collection, stop_on_success: datastore['STOP_ON_SUCCESS'], bruteforce_speed: datastore['BRUTEFORCE_SPEED'], @@ -101,6 +98,7 @@ def run_host(ip) ssl_cipher: datastore['SSLCipher'], local_port: datastore['CPORT'], local_host: datastore['CHOST'] + ) ) successful_logins = [] diff --git a/modules/auxiliary/scanner/nessus/nessus_rest_login.rb b/modules/auxiliary/scanner/nessus/nessus_rest_login.rb index 09e8fc9bd615..1781f7a55b99 100644 --- a/modules/auxiliary/scanner/nessus/nessus_rest_login.rb +++ b/modules/auxiliary/scanner/nessus/nessus_rest_login.rb @@ -31,7 +31,7 @@ def initialize(info={}) OptString.new('TARGETURI', [ true, 'The path to the Nessus server login API', '/session']), ]) - deregister_options('HttpUsername', 'HttpPassword', 'PASSWORD_SPRAY') + deregister_options('HttpUsername', 'HttpPassword') end diff --git a/modules/auxiliary/scanner/pop3/pop3_login.rb b/modules/auxiliary/scanner/pop3/pop3_login.rb index e4fb78b33779..43d0dcd006d0 100644 --- a/modules/auxiliary/scanner/pop3/pop3_login.rb +++ b/modules/auxiliary/scanner/pop3/pop3_login.rb @@ -43,8 +43,6 @@ def initialize File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt') ]) ]) - - deregister_options('PASSWORD_SPRAY') end def target @@ -58,22 +56,24 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::POP3.new( - host: ip, - port: rport, - proxies: datastore['PROXIES'], - ssl: datastore['SSL'], - cred_details: cred_collection, - stop_on_success: datastore['STOP_ON_SUCCESS'], - bruteforce_speed: datastore['BRUTEFORCE_SPEED'], - max_send_size: datastore['TCP::max_send_size'], - send_delay: datastore['TCP::send_delay'], - framework: framework, - framework_module: self, - ssl_version: datastore['SSLVersion'], - ssl_verify_mode: datastore['SSLVerifyMode'], - ssl_cipher: datastore['SSLCipher'], - local_port: datastore['CPORT'], - local_host: datastore['CHOST'] + configure_login_scanner( + host: ip, + port: rport, + proxies: datastore['PROXIES'], + ssl: datastore['SSL'], + cred_details: cred_collection, + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + max_send_size: datastore['TCP::max_send_size'], + send_delay: datastore['TCP::send_delay'], + framework: framework, + framework_module: self, + ssl_version: datastore['SSLVersion'], + ssl_verify_mode: datastore['SSLVerifyMode'], + ssl_cipher: datastore['SSLCipher'], + local_port: datastore['CPORT'], + local_host: datastore['CHOST'] + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/postgres/postgres_login.rb b/modules/auxiliary/scanner/postgres/postgres_login.rb index a7f9cdd225fb..f12706b4009c 100644 --- a/modules/auxiliary/scanner/postgres/postgres_login.rb +++ b/modules/auxiliary/scanner/postgres/postgres_login.rb @@ -48,7 +48,7 @@ def initialize(info = {}) OptBool.new('CreateSession', [false, 'Create a new session for every successful login', false]) ]) - options_to_deregister = %w[SQL PASSWORD_SPRAY] + options_to_deregister = %w[SQL] if framework.features.enabled?(Msf::FeatureManager::POSTGRESQL_SESSION_TYPE) add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session') else @@ -88,16 +88,18 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::Postgres.new( - host: ip, - port: rport, - proxies: datastore['Proxies'], - cred_details: cred_collection, - stop_on_success: datastore['STOP_ON_SUCCESS'], - bruteforce_speed: datastore['BRUTEFORCE_SPEED'], - connection_timeout: 30, - framework: framework, - framework_module: self, - use_client_as_proof: create_session? + configure_login_scanner( + host: ip, + port: rport, + proxies: datastore['Proxies'], + cred_details: cred_collection, + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + connection_timeout: 30, + framework: framework, + framework_module: self, + use_client_as_proof: create_session? + ) ) successful_logins = [] successful_sessions = [] diff --git a/modules/auxiliary/scanner/redis/redis_login.rb b/modules/auxiliary/scanner/redis/redis_login.rb index 4064723ea7b6..491d26431c3e 100644 --- a/modules/auxiliary/scanner/redis/redis_login.rb +++ b/modules/auxiliary/scanner/redis/redis_login.rb @@ -38,7 +38,7 @@ def initialize(info = {}) # redis does not have an username, there's only password deregister_options( 'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING', - 'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'PASSWORD_SPRAY' + 'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE' ) end @@ -70,12 +70,14 @@ def run_host(ip) cred_collection = prepend_db_passwords(cred_collection) scanner = Metasploit::Framework::LoginScanner::Redis.new( - host: ip, - port: rport, - proxies: datastore['PROXIES'], - cred_details: cred_collection, - stop_on_success: datastore['STOP_ON_SUCCESS'], - connection_timeout: 30 + configure_login_scanner( + host: ip, + port: rport, + proxies: datastore['PROXIES'], + cred_details: cred_collection, + stop_on_success: datastore['STOP_ON_SUCCESS'], + connection_timeout: 30 + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/sage/x3_adxsrv_login.rb b/modules/auxiliary/scanner/sage/x3_adxsrv_login.rb index d3b2a96d2b29..f25df8259f72 100644 --- a/modules/auxiliary/scanner/sage/x3_adxsrv_login.rb +++ b/modules/auxiliary/scanner/sage/x3_adxsrv_login.rb @@ -39,7 +39,7 @@ def initialize(_info = {}) ] ) - deregister_options('PASSWORD_SPRAY', 'BLANK_PASSWORDS') + deregister_options('BLANK_PASSWORDS') end def run_host(ip) @@ -50,17 +50,19 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::X3.new( - host: ip, - port: rport, - cred_details: cred_collection, - stop_on_success: datastore['STOP_ON_SUCCESS'], - bruteforce_speed: datastore['BRUTEFORCE_SPEED'], - max_send_size: datastore['TCP::max_send_size'], - send_delay: datastore['TCP::send_delay'], - framework: framework, - framework_module: self, - local_port: datastore['CPORT'], - local_host: datastore['CHOST'] + configure_login_scanner( + host: ip, + port: rport, + cred_details: cred_collection, + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + max_send_size: datastore['TCP::max_send_size'], + send_delay: datastore['TCP::send_delay'], + framework: framework, + framework_module: self, + local_port: datastore['CPORT'], + local_host: datastore['CHOST'] + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index 4a3d6903008a..a5fb6bd67b5b 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -66,7 +66,7 @@ def initialize ] ) - options_to_deregister = %w[USERNAME PASSWORD PASSWORD_SPRAY CommandShellCleanupCommand AutoVerifySession] + options_to_deregister = %w[USERNAME PASSWORD CommandShellCleanupCommand AutoVerifySession] if framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE) add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session') @@ -131,21 +131,23 @@ def run_host(ip) end @scanner = Metasploit::Framework::LoginScanner::SMB.new( - host: ip, - port: rport, - local_port: datastore['CPORT'], - stop_on_success: datastore['STOP_ON_SUCCESS'], - proxies: datastore['Proxies'], - bruteforce_speed: datastore['BRUTEFORCE_SPEED'], - connection_timeout: 5, - max_send_size: datastore['TCP::max_send_size'], - send_delay: datastore['TCP::send_delay'], - framework: framework, - framework_module: self, - always_encrypt: datastore['SMB::AlwaysEncrypt'], - versions: datastore['SMB::ProtocolVersion'].split(',').map(&:strip).reject(&:blank?).map(&:to_i), - kerberos_authenticator_factory: kerberos_authenticator_factory, - use_client_as_proof: create_session? + configure_login_scanner( + host: ip, + port: rport, + local_port: datastore['CPORT'], + stop_on_success: datastore['STOP_ON_SUCCESS'], + proxies: datastore['Proxies'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + connection_timeout: 5, + max_send_size: datastore['TCP::max_send_size'], + send_delay: datastore['TCP::send_delay'], + framework: framework, + framework_module: self, + always_encrypt: datastore['SMB::AlwaysEncrypt'], + versions: datastore['SMB::ProtocolVersion'].split(',').map(&:strip).reject(&:blank?).map(&:to_i), + kerberos_authenticator_factory: kerberos_authenticator_factory, + use_client_as_proof: create_session? + ) ) if datastore['DETECT_ANY_AUTH'] diff --git a/modules/auxiliary/scanner/snmp/snmp_login.rb b/modules/auxiliary/scanner/snmp/snmp_login.rb index b8d281f57616..6735c4c3fb59 100644 --- a/modules/auxiliary/scanner/snmp/snmp_login.rb +++ b/modules/auxiliary/scanner/snmp/snmp_login.rb @@ -38,7 +38,7 @@ def initialize ]) ]) - deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'PASSWORD_SPRAY') + deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE') end # Operate on a single host so that we can take advantage of multithreading @@ -50,6 +50,7 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::SNMP.new( + configure_login_scanner( host: ip, port: rport, protocol: datastore['PROTOCOL'], @@ -60,6 +61,7 @@ def run_host(ip) framework: framework, framework_module: self, queue_size: 100 + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/ssh/karaf_login.rb b/modules/auxiliary/scanner/ssh/karaf_login.rb index 7086659a940a..e9b9672ffb5b 100644 --- a/modules/auxiliary/scanner/ssh/karaf_login.rb +++ b/modules/auxiliary/scanner/ssh/karaf_login.rb @@ -49,8 +49,6 @@ def initialize OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) - - deregister_options('PASSWORD_SPRAY') end def rport @@ -88,14 +86,16 @@ def run_host(ip) end scanner = Metasploit::Framework::LoginScanner::SSH.new( - host: ip, - port: rport, - cred_details: cred_collection, - proxies: datastore['Proxies'], - stop_on_success: datastore['STOP_ON_SUCCESS'], - connection_timeout: datastore['SSH_TIMEOUT'], - framework: framework, - framework_module: self, + configure_login_scanner( + host: ip, + port: rport, + cred_details: cred_collection, + proxies: datastore['Proxies'], + stop_on_success: datastore['STOP_ON_SUCCESS'], + connection_timeout: datastore['SSH_TIMEOUT'], + framework: framework, + framework_module: self, + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/ssh/ssh_login.rb b/modules/auxiliary/scanner/ssh/ssh_login.rb index 660522da9759..1cab12905b80 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login.rb @@ -48,8 +48,6 @@ def initialize OptBool.new('GatherProof', [true, 'Gather proof of access via pre-session shell commands', true]) ] ) - - deregister_options('PASSWORD_SPRAY') end def rport @@ -100,16 +98,18 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::SSH.new( - host: ip, - port: rport, - cred_details: cred_collection, - proxies: datastore['Proxies'], - stop_on_success: datastore['STOP_ON_SUCCESS'], - bruteforce_speed: datastore['BRUTEFORCE_SPEED'], - connection_timeout: datastore['SSH_TIMEOUT'], - framework: framework, - framework_module: self, - skip_gather_proof: !datastore['GatherProof'] + configure_login_scanner( + host: ip, + port: rport, + cred_details: cred_collection, + proxies: datastore['Proxies'], + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + connection_timeout: datastore['SSH_TIMEOUT'], + framework: framework, + framework_module: self, + skip_gather_proof: !datastore['GatherProof'] + ) ) scanner.verbosity = :debug if datastore['SSH_DEBUG'] diff --git a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb index a477ab019720..ff3ce668db6d 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb @@ -57,7 +57,7 @@ def initialize ) deregister_options( - 'PASSWORD','PASS_FILE','BLANK_PASSWORDS','USER_AS_PASS','USERPASS_FILE','PASSWORD_SPRAY', + 'PASSWORD','PASS_FILE','BLANK_PASSWORDS','USER_AS_PASS','USERPASS_FILE', 'DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_SKIP_EXISTING' ) @@ -153,16 +153,18 @@ def run_host(ip) print_brute :level => :vstatus, :ip => ip, :msg => "Testing #{key_count} #{'key'.pluralize(key_count)} from #{key_sources.join(' and ')}" scanner = Metasploit::Framework::LoginScanner::SSH.new( - host: ip, - port: rport, - cred_details: keys, - stop_on_success: datastore['STOP_ON_SUCCESS'], - bruteforce_speed: datastore['BRUTEFORCE_SPEED'], - proxies: datastore['Proxies'], - connection_timeout: datastore['SSH_TIMEOUT'], - framework: framework, - framework_module: self, - skip_gather_proof: !datastore['GatherProof'] + configure_login_scanner( + host: ip, + port: rport, + cred_details: keys, + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + proxies: datastore['Proxies'], + connection_timeout: datastore['SSH_TIMEOUT'], + framework: framework, + framework_module: self, + skip_gather_proof: !datastore['GatherProof'] + ) ) scanner.verbosity = :debug if datastore['SSH_DEBUG'] diff --git a/modules/auxiliary/scanner/telnet/brocade_enable_login.rb b/modules/auxiliary/scanner/telnet/brocade_enable_login.rb index 5e100c55217c..197c68633fd2 100644 --- a/modules/auxiliary/scanner/telnet/brocade_enable_login.rb +++ b/modules/auxiliary/scanner/telnet/brocade_enable_login.rb @@ -41,8 +41,6 @@ def initialize ], self.class ) - deregister_options('PASSWORD_SPRAY') - @no_pass_prompt = [] end @@ -96,6 +94,7 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::Telnet.new( + configure_login_scanner( host: ip, port: rport, proxies: datastore['PROXIES'], @@ -116,6 +115,7 @@ def run_host(ip) ssl_cipher: datastore['SSLCipher'], local_port: datastore['CPORT'], local_host: datastore['CHOST'] + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/telnet/telnet_login.rb b/modules/auxiliary/scanner/telnet/telnet_login.rb index e3ade3ea511a..78447276b33b 100644 --- a/modules/auxiliary/scanner/telnet/telnet_login.rb +++ b/modules/auxiliary/scanner/telnet/telnet_login.rb @@ -38,8 +38,6 @@ def initialize ], self.class ) - deregister_options('PASSWORD_SPRAY') - @no_pass_prompt = [] end @@ -53,6 +51,7 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::Telnet.new( + configure_login_scanner( host: ip, port: rport, proxies: datastore['PROXIES'], @@ -72,6 +71,7 @@ def run_host(ip) ssl_cipher: datastore['SSLCipher'], local_port: datastore['CPORT'], local_host: datastore['CHOST'] + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/varnish/varnish_cli_login.rb b/modules/auxiliary/scanner/varnish/varnish_cli_login.rb index b40d1317056b..d84374b64fa1 100644 --- a/modules/auxiliary/scanner/varnish/varnish_cli_login.rb +++ b/modules/auxiliary/scanner/varnish/varnish_cli_login.rb @@ -40,8 +40,6 @@ def initialize File.join(Msf::Config.data_directory, 'wordlists', 'unix_passwords.txt') ]) ]) - deregister_options('PASSWORD_SPRAY') - # We don't currently support an auth mechanism that uses usernames, so we'll ignore any # usernames that are passed in. @strip_usernames = true @@ -70,14 +68,15 @@ def run_host(ip) username: '' ) scanner = Metasploit::Framework::LoginScanner::VarnishCLI.new( - host: ip, - port: rport, - cred_details: cred_collection, - stop_on_success: true, - connection_timeout: 10, - framework: framework, - framework_module: self, - + configure_login_scanner( + host: ip, + port: rport, + cred_details: cred_collection, + stop_on_success: true, + connection_timeout: 10, + framework: framework, + framework_module: self, + ) ) scanner.scan! do |result| credential_data = result.to_h diff --git a/modules/auxiliary/scanner/vmware/vmauthd_login.rb b/modules/auxiliary/scanner/vmware/vmauthd_login.rb index d2750354a95e..55934cb40e67 100644 --- a/modules/auxiliary/scanner/vmware/vmauthd_login.rb +++ b/modules/auxiliary/scanner/vmware/vmauthd_login.rb @@ -29,8 +29,6 @@ def initialize ) register_options([Opt::RPORT(902)]) - - deregister_options('PASSWORD_SPRAY') end def run_host(ip) @@ -62,23 +60,25 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::VMAUTHD.new( - host: ip, - port: rport, - proxies: datastore['PROXIES'], - cred_details: cred_collection, - stop_on_success: datastore['STOP_ON_SUCCESS'], - bruteforce_speed: datastore['BRUTEFORCE_SPEED'], - connection_timeout: 30, - max_send_size: datastore['TCP::max_send_size'], - send_delay: datastore['TCP::send_delay'], - framework: framework, - framework_module: self, - ssl: datastore['SSL'], - ssl_version: datastore['SSLVersion'], - ssl_verify_mode: datastore['SSLVerifyMode'], - ssl_cipher: datastore['SSLCipher'], - local_port: datastore['CPORT'], - local_host: datastore['CHOST'] + configure_login_scanner( + host: ip, + port: rport, + proxies: datastore['PROXIES'], + cred_details: cred_collection, + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + connection_timeout: 30, + max_send_size: datastore['TCP::max_send_size'], + send_delay: datastore['TCP::send_delay'], + framework: framework, + framework_module: self, + ssl: datastore['SSL'], + ssl_version: datastore['SSLVersion'], + ssl_verify_mode: datastore['SSLVerifyMode'], + ssl_cipher: datastore['SSLCipher'], + local_port: datastore['CPORT'], + local_host: datastore['CHOST'] + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/vnc/vnc_login.rb b/modules/auxiliary/scanner/vnc/vnc_login.rb index 837313185525..6acbaf9a7931 100644 --- a/modules/auxiliary/scanner/vnc/vnc_login.rb +++ b/modules/auxiliary/scanner/vnc/vnc_login.rb @@ -46,8 +46,6 @@ def initialize OptBool.new('USER_AS_PASS', [false, 'Try the username as the password for all users', false]) ]) - deregister_options('PASSWORD_SPRAY') - register_autofilter_ports((5900..5910).to_a) # Each instance increments the port by one. # We don't currently support an auth mechanism that uses usernames, so we'll ignore any @@ -64,6 +62,7 @@ def run_host(ip) ) scanner = Metasploit::Framework::LoginScanner::VNC.new( + configure_login_scanner( host: ip, port: rport, proxies: datastore['PROXIES'], @@ -81,6 +80,7 @@ def run_host(ip) ssl_cipher: datastore['SSLCipher'], local_port: datastore['CPORT'], local_host: datastore['CHOST'] + ) ) scanner.scan! do |result| diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb index 4e359f5bd135..2915ca92255a 100644 --- a/modules/auxiliary/scanner/winrm/winrm_login.rb +++ b/modules/auxiliary/scanner/winrm/winrm_login.rb @@ -33,8 +33,6 @@ module without SSL, the 'AllowUnencrypted' winrm option must be set. ], 'License' => MSF_LICENSE ) - - deregister_options('PASSWORD_SPRAY') end def run @@ -74,17 +72,19 @@ def run_host(ip) keep_connection_alive = datastore['CreateSession'] scanner = Metasploit::Framework::LoginScanner::WinRM.new( - host: ip, - port: rport, - proxies: datastore['Proxies'], - cred_details: cred_collection, - stop_on_success: datastore['STOP_ON_SUCCESS'], - bruteforce_speed: datastore['BRUTEFORCE_SPEED'], - connection_timeout: 10, - framework: framework, - framework_module: self, - kerberos_authenticator_factory: kerberos_authenticator_factory, - keep_connection_alive: keep_connection_alive + configure_login_scanner( + host: ip, + port: rport, + proxies: datastore['Proxies'], + cred_details: cred_collection, + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + connection_timeout: 10, + framework: framework, + framework_module: self, + kerberos_authenticator_factory: kerberos_authenticator_factory, + keep_connection_alive: keep_connection_alive + ) ) scanner.scan! do |result|