search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.75k stars 13.89k forks source link

Add VyOS auxiliary gather config module #14124

Closed bcoles closed 3 years ago

bcoles commented 4 years ago

Another network device for you @h00die, for modules/post/networking/gather, should you happen to feel motivated.

Software

Documentation

Default login for legacy versions (and live system pre-install): vyos / vyos (maybe you also want to add these to the default logins wordlist).

Users configuration:

https://support.vyos.io/en/kb/articles/adding-users-2 https://support.vyos.io/en/kb/articles/vyos-user-privilege-levels-2

There are two user levels - operator and admin - however, operator users are now considered legacy because it's super easy to privesc.

Config

vyos@vyos:~$ id
uid=1000(vyos) gid=100(users) groups=100(users),4(adm),6(disk),27(sudo),30(dip),102(quaggavty),104(vyattacfg),110(fuse)
vyos@vyos:~$ users
vyos vyos
vyos@vyos:~$ configure 
[edit]
vyos@vyos# set system login user jsmith full-name "John Smith"
[edit]
vyos@vyos# set system login user jsmith authentication plaintext-password examplepassword
[edit]
vyos@vyos# set system login user jsmith level operator
[edit]
vyos@vyos# commit
s[edit]
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
[edit]
vyos@vyos# cat /config/config.boot
interfaces {
    ethernet eth0 {
        duplex auto
        hw-id 00:0c:29:c7:af:bc
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name vyos
    login {
        user jsmith {
            authentication {
                encrypted-password $6$ELBrDuW7c/8$nN7MwUST8s8O0R6HMNu/iPoTQ1s..y8HTnXraJ7Hh4bHefRmjt/2U08ZckEw4FU034wbWaeCaB5hq7mC6fNXl/
                plaintext-password ""
            }
            full-name "John Smith"
            level operator
        }
        user vyos {
            authentication {
                encrypted-password $1$5HsQse2v$VQLh5eeEp4ZzGmCG/PRBA1
                plaintext-password ""
            }
            level admin
        }
    }
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password ""
            url http://packages.vyos.net/vyos
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: VyOS 1.1.8 */
[edit]
vyos@vyos#

root or admin privileges (vyattacfg group) are required to read the config file.

sh-4.1$ ls -la /config/
total 4
drwxrwsr-x 8 root vyattacfg  180 Sep 11 12:20 .
drwxr-xr-x 1 root root       180 Sep 11  2020 ..
drwxrwsr-x 2 root vyattacfg  200 Sep 11 12:29 archive
drwxrwsr-x 2 root vyattacfg   40 Nov 11  2017 auth
-rw-rw---- 1 root vyattacfg 1771 Sep 11 12:29 config.boot
drwxrwsr-x 2 root vyattacfg   60 Nov 11  2017 scripts
drwxrwsr-x 2 root vyattacfg   40 Nov 11  2017 support
drwxr-sr-x 3 root vyattacfg   60 Nov 11  2017 url-filtering
drwxrwsr-x 2 root vyattacfg   40 Nov 11  2017 user-data
sh-4.1$ ls -la /config/auth/
total 0
drwxrwsr-x 2 root vyattacfg  40 Nov 11  2017 .
drwxrwsr-x 8 root vyattacfg 180 Sep 11 12:20 ..
sh-4.1$ ls -la /config/config.boot 
-rw-rw---- 1 root vyattacfg 1771 Sep 11 12:29 /config/config.boot

The CLI allows low privileged operator users to retrieve a bunch of info too, if you want to add that to lib/metasploit/framework/login_scanner/ssh.rb.

jsmith@vyos> id

  Invalid command: [id]

jsmith@vyos> show 
Possible completions:
  arp           Show Address Resolution Protocol (ARP) information
  bridge        Show bridging information
  cluster       Show clustering information
  configuration Show running configuration
  conntrack     Show conntrack entries in the conntrack table 
  conntrack-sync
                Show connection syncing information
  date          Show system date and time
  dhcp          Show Dynamic Host Configuration Protocol (DHCP) information
  dhcpv6        Show status related to DHCPv6
  disk          Show status of disk device
  dns           Show Domain Name Server (DNS) information
  file          Show files for a particular image
  firewall      Show firewall information
  flow-accounting
                Show flow accounting statistics
  hardware      Show system hardware details
  history       show command history
  host          Show host information
  incoming      Show ethernet input-policy information
  interfaces    Show network interface information
  ip            Show IPv4 routing information
  ipv6          Show IPv6 routing information
  license       Show VyOS license information
  lldp          Show lldp
  log           Show contents of current master log file
  login         Show current login credentials
  monitoring    Show currently monitored services
  nat           Show Network Address Translation (NAT) information
  nhrp          Show NHRP info
  ntp           Show peer status of network time daemon
  openvpn       Show OpenVPN information
  policy        Show policy information
  poweroff      Show scheduled poweroff
  queueing      Show ethernet queueing information
  raid          Show status of RAID set
  reboot        Show scheduled reboot
  route-map     Show route-map information
  snmp          Show status of SNMP on localhost
  system        Show system information
  table         Show routing table
  tech-support  Show consolidated tech-support report
  users         Show user information
  version       Show Vyatta version information
  vpn           Show Virtual Private Network (VPN) information
  vrrp          Show Virtual Router Redundancy Protocol (VRRP) information
  wan-load-balance
                Show Wide Area Network (WAN) load-balancing information
  webproxy      Show webproxy information
  zone-policy   Show summary of zone policy for a specific zone

  Incomplete command: show

jsmith@vyos> show host os
Linux vyos 3.13.11-1-amd64-vyos #1 SMP Sat Nov 11 12:10:30 CET 2017 x86_64 GNU/Linux
jsmith@vyos> show users
NAME     LINE         TIME         COMMENT
vyos     tty1         Sep 11 12:21
jsmith   pts/0        Sep 11 12:34 (172.16.191.165)
jsmith@vyos> show version
Version:      VyOS 1.1.8
Description:  VyOS 1.1.8 (helium)
Copyright:    2017 VyOS maintainers and contributors
Built by:     maintainers@vyos.net
Built on:     Sat Nov 11 13:44:36 UTC 2017
Build ID:     1711111344-b483efc
System type:  x86 64-bit
Boot via:     livecd
Hypervisor:   VMware
HW model:     VMware Virtual Platform
HW S/N:       VMware-56 4d e8 a9 19 e9 9a 5d-0c ba e1 07 5f c7 af bc
HW UUID:      564DE8A9-19E9-9A5D-0CBA-E1075FC7AFBC
Uptime:       12:58:37 up 37 min,  2 users,  load average: 0.00, 0.01, 0.04

jsmith@vyos>
h00die commented 4 years ago

thanks for all the background info (docs, commands to show/add info). Just finished up the F5 one (hopefully), so i'll give this a look over

bcoles commented 4 years ago

thanks for all the background info (docs, commands to show/add info). Just finished up the F5 one (hopefully), so i'll give this a look over

Cool. To clarify the above, as I see it, the most value comes from pulling down the config file and possibly also extracting the hashes (which requires admin level VyOS privileges), which ties into the Cracker work you've been doing.

Edit: user hashes can also be grabbed from /etc/shadow and other services (vpn/radius) use the same user accounts. The lazy option is to simply grab the entire config file, but maybe there's something interesting to extract, like service passwords configurable with set service:

vyos@vyos# set service 
Possible completions:
 > conntrack-sync
                Connection tracking synchronization (conntrack-sync) service
 > dhcp-relay   Dynamic Host Configuration Protocol (DHCP) relay agent
 > dhcp-server  Dynamic Host Configuration Protocol (DHCP) for DHCP server
 > dhcpv6-relay DHCPv6 Relay Agent parameters
 > dhcpv6-server
                DHCP for IPv6 (DHCPv6) server
 > dns          Domain Name Server (DNS) parameters
 > https        Enable/disable the Web server
 > lldp         LLDP settings
 > snmp         Simple Network Management Protocol (SNMP)
 > ssh          Secure SHell (SSH) protocol
 > telnet       Enable/disable Network Virtual Terminal Protocol (TELNET) protocol
 > webproxy     Webproxy service settings

Here's a couple of instances where passwords exist:

The show command and associated menu is part of the restricted-shell. As best I can determine, the restricted shell was vaporised along with the operator user level when this user level was removed. New versions 1.2+ (not "legacy" 1.0 <= 1.1.8 from 2017/2018) no longer use this menu.

I mentioned the restricted shell interface and menu in case you want to add parsing for the lib/metasploit/framework/login_scanner/ssh.rb library (get_platform method) to match Remote command execution is not allowed for operator level users.

diff --git a/lib/metasploit/framework/login_scanner/ssh.rb b/lib/metasploit/framework/login_scanner/ssh.rb
index 0bc98a28ec..243acfd16b 100644
--- a/lib/metasploit/framework/login_scanner/ssh.rb
+++ b/lib/metasploit/framework/login_scanner/ssh.rb
@@ -220,6 +220,8 @@ module Metasploit
             'mikrotik'
           when /Arista/
             'arista'
+          when /Remote command execution is not allowed for operator level users/
+            'vyos'
           else
             'unknown'
           end

Although non-legacy is now 2+ years old, this is a simple patch and would "fix" the While a session may have opened, it may be bugged. error with set GatherProof true :

msf6 > 
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set username jsmith
username => jsmith
msf6 auxiliary(scanner/ssh/ssh_login) > set password examplepassword
password => examplepassword
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 172.16.191.158
rhosts => 172.16.191.158
msf6 auxiliary(scanner/ssh/ssh_login) > set gatherproof
gatherproof => true
msf6 auxiliary(scanner/ssh/ssh_login) > set verbose true
verbose => true
msf6 auxiliary(scanner/ssh/ssh_login) > db_connect msf:msf@127.0.0.1/msf
Connected to Postgres data service: 127.0.0.1/msf
msf6 auxiliary(scanner/ssh/ssh_login) > run

[+] 172.16.191.158:22 - Success: 'jsmith:examplepassword' 'Remote command execution is not allowed for operator level users Remote command execution is not allowed for operator level users '
[*] Command shell session 1 opened (172.16.191.165:44777 -> 172.16.191.158:22) at 2020-09-13 00:55:10 -0400
[-] 172.16.191.158:22 - While a session may have opened, it may be bugged.  If you experience issues with it, re-run this module with 'set gatherproof false'.  Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > hosts

Hosts
=====

address         mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------         ---  ----  -------  ---------  -----  -------  ----  --------
172.16.191.158                                                       

msf6 auxiliary(scanner/ssh/ssh_login) > services
Services
========

host            port  proto  name  state  info
----            ----  -----  ----  -----  ----
172.16.191.158  22    tcp    ssh   open   

msf6 auxiliary(scanner/ssh/ssh_login) > creds
Credentials
===========

host            origin          service       public  private          realm  private_type  JtR Format
----            ------          -------       ------  -------          -----  ------------  ----------
172.16.191.158  172.16.191.158  22/tcp (ssh)  jsmith  examplepassword         Password      

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1...

id
uid=1001(jsmith) gid=100(users) groups=100(users),4(adm),30(dip),37(operator),102(quaggavty),105(vyattaop)
ls
pwd
/home/jsmith
echo $SHELL
/opt/vyatta/bin/restricted-shell
msf6 auxiliary(scanner/ssh/ssh_login) > edit lib/metasploit/framework/login_scanner/ssh.rb
[*] Reloading /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:20: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::CAN_GET_SESSION
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:20: warning: previous definition of CAN_GET_SESSION was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:21: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::DEFAULT_PORT
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:21: warning: previous definition of DEFAULT_PORT was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:22: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::LIKELY_PORTS
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:22: warning: previous definition of LIKELY_PORTS was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:23: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::LIKELY_SERVICE_NAMES
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:23: warning: previous definition of LIKELY_SERVICE_NAMES was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:24: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::PRIVATE_TYPES
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:24: warning: previous definition of PRIVATE_TYPES was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:25: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::REALM_KEY
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:25: warning: previous definition of REALM_KEY was here
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:27: warning: already initialized constant Metasploit::Framework::LoginScanner::SSH::VERBOSITIES
/root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/ssh.rb:27: warning: previous definition of VERBOSITIES was here
msf6 auxiliary(scanner/ssh/ssh_login) > run

[+] 172.16.191.158:22 - Success: 'jsmith:examplepassword' 'Remote command execution is not allowed for operator level users Remote command execution is not allowed for operator level users '
[*] Command shell session 5 opened (172.16.191.165:33507 -> 172.16.191.158:22) at 2020-09-13 01:19:21 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

  Id  Name  Type           Information                                     Connection
  --  ----  ----           -----------                                     ----------
  4         shell unknown  SSH jsmith:examplepassword (172.16.191.158:22)  172.16.191.165:41213 -> 172.16.191.158:22 (172.16.191.158)
  5         shell vyos     SSH jsmith:examplepassword (172.16.191.158:22)  172.16.191.165:33507 -> 172.16.191.158:22 (172.16.191.158)

msf6 auxiliary(scanner/ssh/ssh_login) > hosts

Hosts
=====

address         mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------         ---  ----  -------  ---------  -----  -------  ----  --------
172.16.191.158             vyos                                      

msf6 auxiliary(scanner/ssh/ssh_login) >

Edit: alternatively, in retrospect, reporting the platform as linux rather than vyos probably makes more sense, and instead implement checks specific to vyos in the gather_proof method.

On the latest non-legacy versions, the authentication model seems to have shifted to assuming all users are admins (effectively root via sudo sh). The admin role is now the only user role, and the /config/config.boot config file is world readable.

The SSH service is not started by default and now requires key authentication by default (not passwords). As such, it is unlikely that VyOS will be compromised via SSH login, but perhaps via another service (or kernel exploit), so SSH access landing in the restricted shell seems unlikely. On the other hand, I didn't review the user guide and administration guide thoroughly, so maybe there's a use case I missed which enables the restricted shell even for admin users.

h00die commented 4 years ago

/config/auth/ldap-auth.config