Land #18398, Update deprecated report_auth_info in various modules

data/exploits/psnuffle/ftp.rb

@@ -40,7 +40,16 @@ def parse(pkt)
 
       when :login_fail
         if(s[:user] and s[:pass])
-          report_auth_info(s.merge({:active => false}))
+          report_cred(
+            :ip  => s[:host],
+            :port => s[:port],
+            :service_name => s[:sname],
+            :user => s[:user],
+            :password => s[:pass],
+            :type => :password,
+            :proof => "Response code 5 from server",
+            :status => Metasploit::Model::Login::Status::INCORRECT
+          )
           print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
 
           s[:pass] = ""
@@ -49,7 +58,16 @@ def parse(pkt)
 
       when :login_pass
         if(s[:user] and s[:pass])
-          report_auth_info(s)
+          report_cred(
+            :ip  => s[:host],
+            :port => s[:port],
+            :service_name => s[:sname],
+            :user => s[:user],
+            :password => s[:pass],
+            :type => :password,
+            :proof => "Response code 230 from server",
+            :status => Metasploit::Model::Login::Status::SUCCESSFUL
+          )
           print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
           # Remove it form the session objects so freeup memory
           sessions.delete(s[:session])

data/exploits/psnuffle/imap.rb

@@ -44,22 +44,49 @@ def parse(pkt)
 
       when :login_pass
 
-        report_auth_info(s)
+        report_cred(
+          :ip  => s[:host],
+          :port => s[:port],
+          :service_name => s[:sname],
+          :user => s[:user],
+          :password => s[:pass],
+          :type => :password,
+          :proof => "Capability OK reponse from server",
+          :status => Metasploit::Model::Login::Status::SUCCESSFUL
+        )
         print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 
         # Remove it form the session objects so freeup
         sessions.delete(s[:session])
 
       when :login_fail
 
-        report_auth_info(s.merge({:active => false}))
+        report_cred(
+          :ip  => s[:host],
+          :port => s[:port],
+          :service_name => s[:sname],
+          :user => s[:user],
+          :password => s[:pass],
+          :type => :password,
+          :proof => "Capability NO response from server",
+          :status => Metasploit::Model::Login::Status::INCORRECT
+        )
         print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 
         # Remove it form the session objects so freeup
         sessions.delete(s[:session])
 
       when :login_bad
-        report_auth_info(s.merge({:active => false}))
+        report_cred(
+          :ip  => s[:host],
+          :port => s[:port],
+          :service_name => s[:sname],
+          :user => s[:user],
+          :password => s[:pass],
+          :type => :password,
+          :proof => "Capability BAD response from server",
+          :status => Metasploit::Model::Login::Status::UNTRIED
+        )
         print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 
         # Remove it form the session objects so freeup

data/exploits/psnuffle/pop3.rb

@@ -52,7 +52,16 @@ def parse(pkt)
               s[:proto] = "tcp"
               s[:name]  = "pop3"
               s[:extra] = "Successful Login. Banner: #{s[:banner]}"
-              report_auth_info(s)
+              report_cred(
+                :ip  => s[:host],
+                :port => s[:port],
+                :service_name => s[:name],
+                :user => s[:user],
+                :password => s[:pass],
+                :type => :password,
+                :proof => s[:extra],
+                :status => Metasploit::Model::Login::Status::SUCCESSFUL
+              )
               print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 
               # Remove it form the session objects so freeup
@@ -72,7 +81,16 @@ def parse(pkt)
 
               s[:proto]="pop3"
               s[:extra]="Failed Login. Banner: #{s[:banner]}"
-              report_auth_info(s)
+              report_cred(
+                :ip  => s[:host],
+                :port => s[:port],
+                :service_name => s[:proto],
+                :user => s[:user],
+                :password => s[:pass],
+                :type => :password,
+                :proof => s[:extra],
+                :status => Metasploit::Model::Login::Status::INCORRECT
+              )
               print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
               s[:pass]=""
           end

data/exploits/psnuffle/smb.rb

@@ -4,7 +4,7 @@
 # When db is available reports go into db
 #
 
-#Memo : 
+#Memo :
 #FOR SMBV1
   # Authentification without extended security set
     #1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0
@@ -20,7 +20,7 @@
     #5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
     #6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
 #FOR SMBV2
-  #SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response 
+  #SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response
 
 class SnifferSMB < BaseProtocolParser
 
@@ -132,7 +132,7 @@ def parse_sessionsetup(pkt, s)
         ntlmlength = 	payload[53,2].unpack("v")[0]
         s[:lmhash] = 	payload[65,lmlength].unpack("H*")[0]
         s[:ntlmhash] =  payload[65 + lmlength, ntlmlength].unpack("H*")[0]
-      
+
         names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
 
         s[:user] = names[0]
@@ -145,8 +145,8 @@ def parse_sessionsetup(pkt, s)
         if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
           #do not output anonymous/guest logging
           unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
-            #set lmhash to a default value if not provided						   	
-            s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m 
+            #set lmhash to a default value if not provided
+            s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m
             s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
 
             smb_status = payload[9,4].unpack("V")[0]
@@ -157,29 +157,29 @@ def parse_sessionsetup(pkt, s)
               logmessage =
                 "#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
                 "USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
-                "SERVER CHALLENGE:#{s[:challenge]} " + 
-                "\nLMHASH:#{s[:lmhash]} " + 
+                "SERVER CHALLENGE:#{s[:challenge]} " +
+                "\nLMHASH:#{s[:lmhash]} " +
                 "\nNTHASH:#{s[:ntlmhash]}\n"
               print_status(logmessage)
 
               src_ip = s[:client_host]
               dst_ip = s[:host]
-              # know this is ugly , last code added :-/
               smb_db_type_hash = case ntlm_ver
-                     when "NTLMv1" 		then "smb_netv1_hash"
-                     when "NTLM2_SESSION" 	then "smb_netv1_hash"
-                     when "NTLMv2" 		then "smb_netv2_hash"
+                     when "NTLMv1" 		then "netntlm"
+                     when "NTLM2_SESSION" 	then "netntlm"
+                     when "NTLMv2" 		then "netntlmv2"
                      end
               # DB reporting
-              report_auth_info(
-                :host  => dst_ip,
-                :port => 445,
-                :sname => 'smb',
+              report_cred(
+                :ip  => dst_ip,
+                :port => s[:port],
+                :service_name => 'smb',
                 :user => s[:user],
-                :pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
-                :type => smb_db_type_hash,
+                :password => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
+                :type => :nonreplayable_hash,
+                :jtr_format => smb_db_type_hash,
                 :proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
-                :active => true
+                :status => Metasploit::Model::Login::Status::SUCCESSFUL
               )
 
               report_note(

data/exploits/psnuffle/url.rb

@@ -44,7 +44,16 @@ def parse(pkt)
         end
         if s[:basic_auth]
           s[:user], s[:pass] = Rex::Text.decode_base64(s[:basic_auth]).split(':', 2)
-          report_auth_info s
+          report_cred(
+            :ip  => s[:host],
+            :port => s[:port],
+            :service_name => 'http',
+            :user => s[:user],
+            :password => s[:pass],
+            :type => :password,
+            :proof => "Session: #{s[:session]} Basic Auth: #{s[:basic_auth]}",
+            :status => Metasploit::Model::Login::Status::UNTRIED
+          )
           print_status "HTTP Basic Authentication: #{s[:session]} >> #{s[:user]} / #{s[:pass]}"
         end
       when nil

modules/auxiliary/admin/scada/modicon_password_recovery.rb

@@ -174,21 +174,25 @@ def grab
     if httpcreds
       httpuser = httpcreds[1].split(/[\r\n]+/)[0]
       httppass = httpcreds[1].split(/[\r\n]+/)[1]
+      proof = "FTP PASV data socket: #{httpcreds}"
     else
       # Usual defaults
       httpuser = "USER"
       httppass = "USER"
+      proof = "Usual defaults"
     end
     print_status("#{rhost}:#{rport} - FTP - Storing HTTP credentials")
     logins << ["http", httpuser, httppass]
-    report_auth_info(
-      :host	=> ip,
-      :port	=> 80,
-      :sname	=> "http",
-      :user	=> httpuser,
-      :pass	=> httppass,
-      :active	=> true
+
+    report_cred(
+      ip: ip,
+      port: rport,
+      service_name: 'http',
+      user: httpuser,
+      password: httppass,
+      proof: proof
     )
+
     logins << ["scada-write", "", writecreds[1]]
     if writecreds # This is like an enable password, used after HTTP authentication.
       report_note(

modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb

@@ -174,17 +174,11 @@ def dump_hashes(view_id, cookie, uri)
             :port => rport,
             :name => (ssl ? 'https' : 'http')
           )
-          report_auth_info(
-            :host        => rhost,
-            :port        => rport,
-            :sname       => (ssl ? 'https' : 'http'),
-            :user        => short_name,
-            :pass        => pass_hash,
-            :ptype       => 'domino_hash',
-            :source_id   => domino_svc&.id,
-            :source_type => 'service',
-            :proof       => "WEBAPP=\"Lotus Domino\", USER_MAIL=#{user_mail}, HASH=#{pass_hash}, VHOST=#{vhost}",
-            :active      => true
+
+          report_cred(
+            user: short_name,
+            password: pass_hash,
+            proof: "WEBAPP=\"Lotus Domino\", USER_MAIL=#{user_mail}, HASH=#{pass_hash}, VHOST=#{vhost}"
           )
         end
       end
@@ -193,4 +187,26 @@ def dump_hashes(view_id, cookie, uri)
     rescue ::Timeout::Error, ::Errno::EPIPE
     end
   end
+
+  def report_cred(opts)
+
+    service_data = service_details.merge({workspace_id: myworkspace_id})
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash,
+      jtr_format: 'dominosec'
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
 end

modules/auxiliary/sniffer/psnuffle.rb

@@ -132,8 +132,38 @@ def print_error(msg)
     self.module.print_error(msg)
   end
 
-  def report_auth_info(*s)
-    self.module.report_auth_info(*s)
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: self.module.myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: self.module.fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: opts[:type]
+    }.merge(service_data)
+
+    if opts[:type] == :nonreplayable_hash
+      credential_data.merge!(jtr_format: opts[:jtr_format])
+    end
+
+    login_data = {
+      core: self.module.create_credential(credential_data),
+      status: opts[:status],
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    unless opts[:status] == Metasploit::Model::Login::Status::UNTRIED
+      login_data.merge!(last_attempted_at: DateTime.now)
+    end
+
+    self.module.create_credential_login(login_data)
   end
 
   def report_note(*s)

modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb

@@ -399,17 +399,6 @@ def exploit
           status: Metasploit::Model::Login::Status::UNTRIED
       }.merge(service_details)
       create_credential_and_login(connection_details)
-
-      # why is this stored another way?
-      report_auth_info({
-        :host => rhost,
-        :port => rport,
-        :user => user[0],
-        :pass => user[1],
-        :type => "hash",
-        :sname => (ssl ? "https" : "http"),
-        :proof => "salt: #{user[2]}" # Using proof to store the hash salt
-      })
       users << user
     end