Class: Metasploit::Framework::LoginScanner::BavisionCameras

Inherits:

HTTP

• Object
• HTTP
• Metasploit::Framework::LoginScanner::BavisionCameras

Defined in:

lib/metasploit/framework/login_scanner/bavision_cameras.rb

Constant Summary

DEFAULT_PORT =

80

PRIVATE_TYPES =

[ :password ]

LOGIN_STATUS =

Shorter name

Metasploit::Model::Login::Status

Constants inherited from HTTP

HTTP::AUTHORIZATION_HEADER, HTTP::DEFAULT_HTTP_NOT_AUTHED_CODES, HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary

• #attempt_login(credential) ⇒ Result

  Attempts to login to the camera.

• #check_setup ⇒ String

  Checks if the target is BAVision Camera’s web server.

• #digest_auth(user, password, response) ⇒ Object

  The Rex HTTP Digest auth is making the camera server to refuse to respond for some reason.

• #try_digest_auth(cred) ⇒ Object

  Auth to the server using digest auth.

Methods inherited from HTTP

#authentication_required?, #send_request

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempts to login to the camera. This is called first.

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Result) —

  A Result object indicating success or failure

# File 'lib/metasploit/framework/login_scanner/bavision_cameras.rb', line 103

def attempt_login(credential)
  result_opts = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp'
  }

  begin
    result_opts.merge!(try_digest_auth(credential))
  rescue ::Rex::ConnectionError, BavisionCamerasException => e
    # Something went wrong during login. 'e' knows what's up.
    result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
  end

  Result.new(result_opts)
end

#check_setup ⇒ String

Checks if the target is BAVision Camera’s web server. The login module should call this.

Returns:

• (String) —

  Error message if target is not a BAVision camera, otherwise FalseClass

# File 'lib/metasploit/framework/login_scanner/bavision_cameras.rb', line 20

def check_setup
  login_uri = normalize_uri("#{uri}")
  res = send_request({'uri'=> login_uri})

  unless res && res.headers['WWW-Authenticate'] && res.headers['WWW-Authenticate'].match(/realm="IPCamera Login"/)
    return "Unable to locate \"realm=IPCamera Login\" in headers. (Is this really a BAVision camera?)"
  end

  false
end

#digest_auth(user, password, response) ⇒ Object

The Rex HTTP Digest auth is making the camera server to refuse to respond for some reason. The API also fails to generate the CNONCE parameter (bug), which makes it unsuitable for our needs, therefore we have our own implementation of digest auth.

# File 'lib/metasploit/framework/login_scanner/bavision_cameras.rb', line 60

def digest_auth(user, password, response)
  nonce_count = 1
  cnonce = Digest::MD5.hexdigest("%x" % (Time.now.to_i + rand(65535)))

  i = (response['www-authenticate'] =~ /^(\w+) (.*)/)

  # The www-authenticate header does not return in the format we like,
  # so let's bail.
  unless i
    raise BavisionCamerasException, 'www-authenticate header is not in the right format'
  end

  params = {}
  $2.gsub(/(\w+)="(.*?)"/) { params[$1] = $2 }

  a_1 = "#{user}:#{params['realm']}:#{password}"
  a_2 = "GET:#{uri}"
  request_digest = ''
  request_digest << Digest::MD5.hexdigest(a_1)
  request_digest << ':' << params['nonce']
  request_digest << ':' << ('%08x' % nonce_count)
  request_digest << ':' << cnonce
  request_digest << ':' << params['qop']
  request_digest << ':' << Digest::MD5.hexdigest(a_2)

  header = []
  header << "Digest username=\"#{user}\""
  header << "realm=\"#{params['realm']}\""
  header << "qop=#{params['qop']}"
  header << "uri=\"/\""
  header << "nonce=\"#{params['nonce']}\""
  header << "nc=#{'%08x' % nonce_count}"
  header << "cnonce=\"#{cnonce}\""
  header << "response=\"#{Digest::MD5.hexdigest(request_digest)}\""

  header * ', '
end

#try_digest_auth(cred) ⇒ Object

Auth to the server using digest auth

# File 'lib/metasploit/framework/login_scanner/bavision_cameras.rb', line 33

def try_digest_auth(cred)
  login_uri = normalize_uri("#{uri}")
  res = send_request({
    'uri'        => login_uri,
    'credential' => cred,
    'DigestAuthIIS' => false,
    'headers' => {'Accept'=> '*/*'}
  })

  digest = digest_auth(cred.public, cred.private, res.headers)

  res = send_request({
    'uri' => login_uri,
    'headers' => {
      'Authorization' => digest
    }})

  if res && res.code == 200 && res.body =~ /hy\-cgi\/user\.cgi/
    return {:status => LOGIN_STATUS::SUCCESSFUL, :proof => res.body}
  end

  {:status => LOGIN_STATUS::INCORRECT, :proof => res.body}
end