VyOS Configuration Importer - Metasploit
This page contains detailed information about how to use the auxiliary/admin/networking/vyos_config metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: VyOS Configuration Importer
Module: auxiliary/admin/networking/vyos_config
Source code: modules/auxiliary/admin/networking/vyos_config.rb
Disclosure date: -
Last modification time: 2020-12-07 11:02:10 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 22
List of CVEs: -
This module imports a VyOS device configuration.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/admin/networking/vyos_config
msf auxiliary(vyos_config) > show targets
... a list of targets ...
msf auxiliary(vyos_config) > set TARGET target-id
msf auxiliary(vyos_config) > show options
... show and set options ...
msf auxiliary(vyos_config) > exploit
Required Options
CONFIG: Path to configuration to import
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
General Notes
This module imports a VyOS configuration file into the database.
This is similar to post/networking/gather/enum_vyos
only access isn't required,
and assumes you already have the file.
VyOS is available to download from VyOS.io.
Example config file:
VyOS 1.3
interfaces {
ethernet eth0 {
address 10.10.10.10/24
description "desc two"
hw-id 00:0c:29:ab:ce:16
}
ethernet eth1 {
hw-id 00:0c:29:ab:ce:20
}
loopback lo {
}
}
service {
snmp {
community ro {
authorization ro
}
community write {
authorization rw
}
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password $6$km/6j4hX0Ayo$dk2z5LeUOayHopgLGZJII0whBMidnvsd4LfT6LcIcR9ReabX0kcXjZOlmmqDGWuo1FvpnV.X2IRl5NeEZpuI31
plaintext-password ""
}
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@12:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@4:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@2:system@18:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1"
// Release version: 1.3-rolling-202008270118
VyOS 1.1.8
interfaces {
ethernet eth0 {
description "eth0 main"
duplex auto
hw-id 00:0c:29:f4:45:0a
smp_affinity auto
speed auto
vif 90 {
address dhcp
}
}
ethernet eth1 {
address 10.10.10.10/24
duplex auto
hw-id 00:0c:29:f4:45:14
smp_affinity auto
speed auto
}
loopback lo {
}
}
service {
snmp {
community ro {
authorization ro
}
community write {
authorization rw
}
}
}
system {
config-management {
commit-revisions 20
}
console {
}
host-name vyos118
login {
user jsmith {
authentication {
encrypted-password $6$b/9HkzK14DtQm3W$UL5z9yGDoX8j13meRLFEGYkn8popOtCa91wwg8qxOFIfQcWBuXQDDiy8NhdPhpnYieBykj1ddytJAwU6C4mrH1
plaintext-password ""
}
full-name "john smith"
level operator
}
user vyos {
authentication {
encrypted-password $1$hTBP1zOx$M0WnYPshI2piRc7.XnwBU0
plaintext-password ""
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ""
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: VyOS 1.1.8 */
Verification Steps
- Have a VyOS configuration file
- Start
msfconsole
use auxiliary/admin/networking/vyos_config
set RHOST x.x.x.x
set CONFIG /tmp/file.config
run
Options
RHOST
Needed for setting services and items to. This is relatively arbitrary.
CONFIG
File path to the configuration file.
Scenarios
VyOS 1.1.8
msf6 > use auxiliary/admin/networking/vyos_config
msf6 auxiliary(admin/networking/vyos_config) > set config /tmp/vyos.config
config => /tmp/vyos.config
msf6 auxiliary(admin/networking/vyos_config) > set verbose true
verbose => true
msf6 auxiliary(admin/networking/vyos_config) > run
[-] Auxiliary failed: Msf::OptionValidateError One or more options failed to validate: RHOSTS.
msf6 auxiliary(admin/networking/vyos_config) > set rhosts 1.1.1.1
rhosts => 1.1.1.1
msf6 auxiliary(admin/networking/vyos_config) > run
[*] Running module against 1.1.1.1
[*] Importing config
[+] Config saved to: /home/h00die/.msf4/loot/20200920154519_default_1.1.1.1_vyos.config_295168.txt
[+] 1.1.1.1:22 Username 'jsmith' with level 'operator' with hash $6$b/9HkzK14DtQm3W$UL5z9yGDoX8j13meRLFEGYkn8popOtCa91wwg8qxOFIfQcWBuXQDDiy8NhdPhpnYieBykj1ddytJAwU6C4mrH1
[+] 1.1.1.1:22 Username 'vyos' with level 'admin' with hash $1$hTBP1zOx$M0WnYPshI2piRc7.XnwBU0
[+] 1.1.1.1:22 SNMP Community 'ro' with ro access
[+] 1.1.1.1:22 SNMP Community 'write' with rw access
[+] 1.1.1.1:22 Hostname: vyos118
[+] 1.1.1.1:22 OS Version: VyOS 1.1.8
[+] 1.1.1.1:22 Interface eth1 (00:0c:29:f4:45:14) - 10.10.10.10
[+] Config import successful
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the admin/networking/vyos_config auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/networking/vyos_config
msf6 auxiliary(admin/networking/vyos_config) > show info
Name: VyOS Configuration Importer
Module: auxiliary/admin/networking/vyos_config
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
h00die
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG yes Path to configuration to import
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
Description:
This module imports a VyOS device configuration.
Module Options
This is a complete list of options available in the admin/networking/vyos_config auxiliary module:
msf6 auxiliary(admin/networking/vyos_config) > show options
Module options (auxiliary/admin/networking/vyos_config):
Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG yes Path to configuration to import
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
Advanced Options
Here is a complete list of advanced options supported by the admin/networking/vyos_config auxiliary module:
msf6 auxiliary(admin/networking/vyos_config) > show advanced
Module advanced options (auxiliary/admin/networking/vyos_config):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/networking/vyos_config module can do:
msf6 auxiliary(admin/networking/vyos_config) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/networking/vyos_config auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/networking/vyos_config) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
VyOS config file <CONFIG> does not exist!
Here is a relevant code snippet related to the "VyOS config file <CONFIG> does not exist!" error message:
28: )
29: end
30:
31: def run
32: unless ::File.exist?(datastore['CONFIG'])
33: fail_with Failure::BadConfig, "VyOS config file #{datastore['CONFIG']} does not exist!"
34: end
35: vyos_config = ::File.open(datastore['CONFIG'], 'rb')
36: print_status('Importing config')
37: vyos_config_eater(datastore['RHOSTS'], datastore['RPORT'], vyos_config.read)
38: print_good('Config import successful')
Go back to menu.
Related Pull Requests
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #14161 Merged Pull Request: initial vyos implementation
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/admin/networking/arista_config
- auxiliary/admin/networking/brocade_config
- auxiliary/admin/networking/cisco_asa_extrabacon
- auxiliary/admin/networking/cisco_config
- auxiliary/admin/networking/cisco_dcnm_auth_bypass
- auxiliary/admin/networking/cisco_dcnm_download
- auxiliary/admin/networking/cisco_secure_acs_bypass
- auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass
- auxiliary/admin/networking/f5_config
- auxiliary/admin/networking/juniper_config
- auxiliary/admin/networking/mikrotik_config
- auxiliary/admin/networking/ubiquiti_config
- exploit/linux/ssh/vyos_restricted_shell_privesc
- auxiliary/admin/misc/sercomm_dump_config
- auxiliary/gather/cisco_pvc2300_download_config
- auxiliary/gather/cisco_rv320_config
- auxiliary/scanner/http/epmp1000_dump_config
- auxiliary/admin/citrix/citrix_netscaler_config_decrypt
- auxiliary/admin/sap/sap_configservlet_exec_noauth
- auxiliary/scanner/http/binom3_login_config_pass_dump
- auxiliary/scanner/misc/dvr_config_disclosure
- auxiliary/scanner/snmp/cisco_config_tftp
- exploit/linux/http/op5_config_exec
- exploit/linux/local/vmware_alsa_config
- exploit/multi/browser/opera_configoverwrite
- exploit/multi/http/zenworks_configuration_management_upload
- exploit/unix/webapp/awstats_configdir_exec
- exploit/unix/webapp/freepbx_config_exec
- exploit/unix/webapp/phpmyadmin_config
- exploit/windows/http/sap_configservlet_exec_noauth
- post/linux/gather/enum_configs
- post/networking/gather/enum_vyos
- auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration
- auxiliary/scanner/http/zenworks_assetmanagement_getconfig
- auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles
Authors
- h00die
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.