Closed bcoles closed 3 years ago
thanks for all the background info (docs, commands to show/add info). Just finished up the F5 one (hopefully), so i'll give this a look over
thanks for all the background info (docs, commands to show/add info). Just finished up the F5 one (hopefully), so i'll give this a look over
Cool. To clarify the above, as I see it, the most value comes from pulling down the config file and possibly also extracting the hashes (which requires admin
level VyOS privileges), which ties into the Cracker work you've been doing.
Edit: user hashes can also be grabbed from /etc/shadow
and other services (vpn/radius) use the same user accounts. The lazy option is to simply grab the entire config file, but maybe there's something interesting to extract, like service passwords configurable with set service
:
vyos@vyos# set service
Possible completions:
> conntrack-sync
Connection tracking synchronization (conntrack-sync) service
> dhcp-relay Dynamic Host Configuration Protocol (DHCP) relay agent
> dhcp-server Dynamic Host Configuration Protocol (DHCP) for DHCP server
> dhcpv6-relay DHCPv6 Relay Agent parameters
> dhcpv6-server
DHCP for IPv6 (DHCPv6) server
> dns Domain Name Server (DNS) parameters
> https Enable/disable the Web server
> lldp LLDP settings
> snmp Simple Network Management Protocol (SNMP)
> ssh Secure SHell (SSH) protocol
> telnet Enable/disable Network Virtual Terminal Protocol (TELNET) protocol
> webproxy Webproxy service settings
Here's a couple of instances where passwords exist:
set service webproxy authentication ldap
set service snmp community
The show
command and associated menu is part of the restricted-shell
. As best I can determine, the restricted shell was vaporised along with the operator
user level when this user level was removed. New versions 1.2+ (not "legacy" 1.0 <= 1.1.8 from 2017/2018) no longer use this menu.
I mentioned the restricted shell interface and menu in case you want to add parsing for the lib/metasploit/framework/login_scanner/ssh.rb
library (get_platform
method) to match Remote command execution is not allowed for operator level users
.
diff --git a/lib/metasploit/framework/login_scanner/ssh.rb b/lib/metasploit/framework/login_scanner/ssh.rb
index 0bc98a28ec..243acfd16b 100644
--- a/lib/metasploit/framework/login_scanner/ssh.rb
+++ b/lib/metasploit/framework/login_scanner/ssh.rb
@@ -220,6 +220,8 @@ module Metasploit
'mikrotik'
when /Arista/
'arista'
+ when /Remote command execution is not allowed for operator level users/
+ 'vyos'
else
'unknown'
end
Although non-legacy is now 2+ years old, this is a simple patch and would "fix" the While a session may have opened, it may be bugged.
error with set GatherProof true
:
msf6 >
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set username jsmith
username => jsmith
msf6 auxiliary(scanner/ssh/ssh_login) > set password examplepassword
password => examplepassword
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 172.16.191.158
rhosts => 172.16.191.158
msf6 auxiliary(scanner/ssh/ssh_login) > set gatherproof
gatherproof => true
msf6 auxiliary(scanner/ssh/ssh_login) > set verbose true
verbose => true
msf6 auxiliary(scanner/ssh/ssh_login) > db_connect msf:msf@127.0.0.1/msf
Connected to Postgres data service: 127.0.0.1/msf
msf6 auxiliary(scanner/ssh/ssh_login) > run
[+] 172.16.191.158:22 - Success: 'jsmith:examplepassword' 'Remote command execution is not allowed for operator level users Remote command execution is not allowed for operator level users '
[*] Command shell session 1 opened (172.16.191.165:44777 -> 172.16.191.158:22) at 2020-09-13 00:55:10 -0400
[-] 172.16.191.158:22 - While a session may have opened, it may be bugged. If you experience issues with it, re-run this module with 'set gatherproof false'. Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.191.158
msf6 auxiliary(scanner/ssh/ssh_login) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.191.158 22 tcp ssh open
msf6 auxiliary(scanner/ssh/ssh_login) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
172.16.191.158 172.16.191.158 22/tcp (ssh) jsmith examplepassword Password
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1...
id
uid=1001(jsmith) gid=100(users) groups=100(users),4(adm),30(dip),37(operator),102(quaggavty),105(vyattaop)
ls
pwd
/home/jsmith
echo $SHELL
/opt/vyatta/bin/restricted-shell
msf6 auxiliary(scanner/ssh/ssh_login) > edit lib/metasploit/framework/login_scanner/ssh.rb
[*] Reloading /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:20: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::CAN_GET_SESSION
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:20: warning: previous definition of CAN_GET_SESSION was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:21: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::DEFAULT_PORT
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:21: warning: previous definition of DEFAULT_PORT was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:22: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::LIKELY_PORTS
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:22: warning: previous definition of LIKELY_PORTS was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:23: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::LIKELY_SERVICE_NAMES
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:23: warning: previous definition of LIKELY_SERVICE_NAMES was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:24: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::PRIVATE_TYPES
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:24: warning: previous definition of PRIVATE_TYPES was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:25: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::REALM_KEY
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:25: warning: previous definition of REALM_KEY was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:27: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::VERBOSITIES
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:27: warning: previous definition of VERBOSITIES was here
msf6 auxiliary(scanner/ssh/ssh_login) > run
[+] 172.16.191.158:22 - Success: 'jsmith:examplepassword' 'Remote command execution is not allowed for operator level users Remote command execution is not allowed for operator level users '
[*] Command shell session 5 opened (172.16.191.165:33507 -> 172.16.191.158:22) at 2020-09-13 01:19:21 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
4 shell unknown SSH jsmith:examplepassword (172.16.191.158:22) 172.16.191.165:41213 -> 172.16.191.158:22 (172.16.191.158)
5 shell vyos SSH jsmith:examplepassword (172.16.191.158:22) 172.16.191.165:33507 -> 172.16.191.158:22 (172.16.191.158)
msf6 auxiliary(scanner/ssh/ssh_login) > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.191.158 vyos
msf6 auxiliary(scanner/ssh/ssh_login) >
Edit: alternatively, in retrospect, reporting the platform as linux
rather than vyos
probably makes more sense, and instead implement checks specific to vyos in the gather_proof
method.
On the latest non-legacy versions, the authentication model seems to have shifted to assuming all users are admins (effectively root via sudo sh
). The admin
role is now the only user role, and the /config/config.boot
config file is world readable.
The SSH service is not started by default and now requires key authentication by default (not passwords). As such, it is unlikely that VyOS will be compromised via SSH login, but perhaps via another service (or kernel exploit), so SSH access landing in the restricted shell seems unlikely. On the other hand, I didn't review the user guide and administration guide thoroughly, so maybe there's a use case I missed which enables the restricted shell even for admin
users.
/config/auth/ldap-auth.config
Another network device for you @h00die, for
modules/post/networking/gather
, should you happen to feel motivated.Software
Documentation
Default login for legacy versions (and live system pre-install):
vyos
/vyos
(maybe you also want to add these to the default logins wordlist).Users configuration:
https://support.vyos.io/en/kb/articles/adding-users-2 https://support.vyos.io/en/kb/articles/vyos-user-privilege-levels-2
There are two user levels -
operator
andadmin
- however,operator
users are now considered legacy because it's super easy to privesc.Config
root
oradmin
privileges (vyattacfg
group) are required to read the config file.The CLI allows low privileged
operator
users to retrieve a bunch of info too, if you want to add that tolib/metasploit/framework/login_scanner/ssh.rb
.