Class: Metasploit::Framework::LoginScanner::VMAUTHD

Inherits:
Object
  • Object
show all
Includes:
Base, RexSocket, Tcp::Client
Defined in:
lib/metasploit/framework/login_scanner/vmauthd.rb

Overview

This is the LoginScanner class for dealing with vmware-auth. It is responsible for taking a single target, and a list of credentials and attempting them. It then saves the results.

Constant Summary collapse

DEFAULT_PORT =
902
LIKELY_PORTS =
[ DEFAULT_PORT, 903, 912 ]
LIKELY_SERVICE_NAMES =
[ 'vmauthd', 'vmware-auth' ]
PRIVATE_TYPES =
[ :password ]
REALM_KEY =
nil

Instance Attribute Summary

Attributes included from Tcp::Client

#max_send_size, #send_delay, #sock

Instance Method Summary collapse

Methods included from Tcp::Client

#chost, #connect, #cport, #disconnect, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Instance Method Details

#attempt_login(credential) ⇒ Metasploit::Framework::LoginScanner::Result

This method attempts a single login with a single credential against the target

Parameters:

  • credential (Credential)

    The credential object to attempt to login with

Returns:


26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/metasploit/framework/login_scanner/vmauthd.rb', line 26

def (credential)
  result_options = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    service_name: 'vmauthd',
    protocol: 'tcp'
  }

  disconnect if self.sock

  begin
    connect
    select([sock], nil, nil, 0.4)

    # Check to see if we received an OK?
    result_options[:proof] = sock.get_once
    if result_options[:proof] && result_options[:proof][/^220 VMware Authentication Daemon Version.*/]
      # Switch to SSL if required
      swap_sock_plain_to_ssl(sock) if result_options[:proof] && result_options[:proof][/SSL/]

      # If we received an OK we should send the USER
      sock.put("USER #{credential.public}\r\n")
      result_options[:proof] = sock.get_once

      if result_options[:proof] && result_options[:proof][/^331.*/]
        # If we got an OK after the username we can send the PASS
        sock.put("PASS #{credential.private}\r\n")
        result_options[:proof] = sock.get_once

        if result_options[:proof] && result_options[:proof][/^230.*/]
          # if the pass gives an OK, we're good to go
          result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
        end
      end
    end

  rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
    result_options.merge!(
      proof: e.message,
      status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    )
  end

  disconnect if self.sock

  Result.new(result_options)
end