Class: Metasploit::Framework::LoginScanner::VMAUTHD

Inherits:

Object

Object
Metasploit::Framework::LoginScanner::VMAUTHD

show all

Includes:: Base, RexSocket, Tcp::Client

Defined in:: lib/metasploit/framework/login_scanner/vmauthd.rb

Overview

This is the LoginScanner class for dealing with vmware-auth. It is responsible for taking a single target, and a list of credentials and attempting them. It then saves the results.

Constant Summary collapse

DEFAULT_PORT =

LIKELY_PORTS =

[ DEFAULT_PORT, 903, 912 ]

LIKELY_SERVICE_NAMES =

[ 'vmauthd', 'vmware-auth' ]

PRIVATE_TYPES =

[ :password ]

REALM_KEY =

nil

Instance Attribute Summary

Attributes included from Tcp::Client

#max_send_size, #send_delay, #sock

Instance Method Summary collapse

#attempt_login(credential) ⇒ Metasploit::Framework::LoginScanner::Result

This method attempts a single login with a single credential against the target.

Methods included from Tcp::Client

#chost, #connect, #cport, #disconnect, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Instance Method Details

#attempt_login(credential) ⇒ `Metasploit::Framework::LoginScanner::Result`

This method attempts a single login with a single credential against the target

Parameters:

credential (Credential) —

The credential object to attempt to login with

Returns:

(Metasploit::Framework::LoginScanner::Result) —

The LoginScanner Result object

# File 'lib/metasploit/framework/login_scanner/vmauthd.rb', line 26

def attempt_login(credential)
  result_options = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    service_name: 'vmauthd',
    protocol: 'tcp'
  }

  disconnect if self.sock

  begin
    connect
    select([sock], nil, nil, 0.4)

    # Check to see if we received an OK?
    result_options[:proof] = sock.get_once
    if result_options[:proof] && result_options[:proof][/^220 VMware Authentication Daemon Version.*/]
      # Switch to SSL if required
      swap_sock_plain_to_ssl(sock) if result_options[:proof] && result_options[:proof][/SSL/]

      # If we received an OK we should send the USER
      sock.put("USER #{credential.public}\r\n")
      result_options[:proof] = sock.get_once

      if result_options[:proof] && result_options[:proof][/^331.*/]
        # If we got an OK after the username we can send the PASS
        sock.put("PASS #{credential.private}\r\n")
        result_options[:proof] = sock.get_once

        if result_options[:proof] && result_options[:proof][/^230.*/]
          # if the pass gives an OK, we're good to go
          result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
        end
      end
    end

  rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
    result_options.merge!(
      proof: e.message,
      status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    )
  end

  disconnect if self.sock

  Result.new(result_options)
end