Metasploit-framework: Passwords not being saved in creds DB
Steps to reproduce
- use auxiliary/scanner/http/tomcat_mgr_login
- Successfully guess valid credentials from USER_PASS file
- Username is saved in creds, but password is not
Expected behavior
Valid passwords should also be stored in the creds DB. It does work when discovering a valid password via other methods such as guessing with USER_FILE and PASS_FILE
Current behavior
Only username is stored if successful guess from USER_PASS file.
System stuff
N/A
Metasploit version
4.16.32-dev
I installed Metasploit with:
Kali package via apt
OS
Kali
twinvega
All 6 comments
As a side note, I think there are a LOT of aux and exploit modules (http mostly) that don't store credentials. May be worth a review
h00die
on 7 Feb 2018
Hmmm I will try to take a look.
wchen-r7
on 13 Feb 2018
@twinvega I am not able to reproduce this:
msf5 auxiliary(scanner/http/tomcat_mgr_login) > run
[+] 172.16.249.207:8080 - Login Successful: msfadmin:msfadmin
[-] 172.16.249.207:8080 - LOGIN FAILED: admin:msfadmin (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: admin:admin (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: admin:manager (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: admin:root (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: manager:msfadmin (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: manager:admin (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: manager:manager (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: manager:root (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: role1:msfadmin (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: role1:admin (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: role1:manager (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: role1:root (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: root:msfadmin (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: root:admin (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: root:manager (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: root:role1 (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: root:root (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: root:vagrant (Incorrect)
[+] 172.16.249.207:8080 - Login Successful: tomcat:msfadmin
[-] 172.16.249.207:8080 - LOGIN FAILED: both:msfadmin (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: both:admin (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: both:manager (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: both:role1 (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: both:root (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 172.16.249.207:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/tomcat_mgr_login) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
172.16.249.207 172.16.249.207 8080/tcp (http) msfadmin msfadmin Password
172.16.249.207 172.16.249.207 8080/tcp (http) tomcat msfadmin Password
msf5 auxiliary(scanner/http/tomcat_mgr_login) >
Thanks for trying to reproduce @wchen-r7
The USER_PASS file doesn't start until the j2deployer:j2deployer attempt above so to reproduce you'd need to guess something successfully that is in between (and including) j2deployer:j2deployer and admin:vagrant.
I'm guessing it has less to do with the module itself, and more to do with how creds are stored in the DB if the source is a USER_PASS file across the board.
twinvega
on 13 Feb 2018
Oh! Thanks for the tip! I managed to reproduce this:
msf5 auxiliary(scanner/http/tomcat_mgr_login) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
172.16.249.207 172.16.249.207 8080/tcp (http) msfadmin
OK, I have determined the issue. The reason the password isn't stored on the database is because the module isn't providing a data type, which is required by the library in order to store the password. I will fix this, and review other modules for the similar problem after. Thanks for the report @twinvega
wchen-r7
on 13 Feb 2018
Related issues
0x27
路
3Comments
Acidical
路
3Comments
fluit105
路
3Comments
Sonya2010
路
3Comments
handsomebeast
路
3Comments
Most helpful comment
As a side note, I think there are a LOT of aux and exploit modules (http mostly) that don't store credentials. May be worth a review