How to write a Metasploit login scan (loginscanners) plugin

We do not produce articles, we are just nature's porters. The detailed production of this scan plugin was released by the rapid team on GitHub, at the bottom of the blog.

Before writing the plugin, we need to understand some basic concepts:

Certificate (Credential Objects)

Digital certificates currently use a public key system, that is, the use of a pair of matching keys for encryption and decryption. Each user sets an encrypted private key and a public key for decryption. When sending a confidential file, the sender uses the receiver's public key to encrypt, the receiver uses its own private key to decrypt, this is an irreversible process, theoretically only its own private key decryption.

And the user can use their own private key to encrypt information, and the generated files only their own public key to decrypt, this is the file is digitally signed, its purpose is two points:

1) The guarantee information is sent by the signer's own signature.

2) Ensure that the information has not been modified since it was issued to the date of receipt.

Reference to the certificate in the Ruby Project: Metasploit::framework::credential, the specific location in Metasploit is/usr/share/metasploit-framework/lib/ Metasploit/framework/credential.rb.

Results (Result Objects)

Results generated by the scan, including:

1) access level, which describes the access levels for attempting to log on.

2) certificate, the certificate obtained after the scan is completed.

3) prove that an optional proof can be used to show why the results are useful.

4) status, try to log in the status. The value of the state is from Metasploit::model::login::status.

The results are referenced in the Ruby project: Metasploit::framework::loginscanner::result, in the specific location of Metasploit for/usr/share/metasploit-framework/lib /metasploit/framework/login_scanner/result.rb.

Certificate Collection (credentialcollection)

This class is used to get data storage options from the module and to generate certificate objects from each method. Not only do you use the Wordlist file, but you also set the user name option to both a password and a blank password mode. It can be uploaded as a cred_details of the login scan control and responds to #each while generating the certificate.

Example of Ftp_login (file address: MODULES/AUXILIARY/SCANNER/FTP/FTP_LOGIN.RB):

Cred_collection = metasploit::framework::credentialcollection.new (        blank_passwords:datastore[' BLANK_ Passwords '],        pass_file:datastore[' Pass_file '],        password:datastore[' password ',        user_file:datastore [' User_file '],        userpass_file:datastore[' Userpass_file ',        username:datastore[' username '],        user_as_ pass:datastore[' User_as_pass '],        prepended_creds:anonymous_creds    )

A reference to a certificate collection in a Ruby project: Metasploit::framework::credentialconllection, in the specific location of Metasploit for/usr/share/metasploit-framework/ Lib/metasploit/framework/credential_collection.rb.

Login Scan base class (Loginscanner base)

This ruby module contains all the basic behavior of the login scan and all the login scan classes should contain this module. Descriptions of these behaviors are stored in a shared example group. And our Login Scan control specification should follow the following syntax to introduce these tests:

It_behaves_like ' Metasploit::framework::loginscanner::base ', Has_realm_key:false, Has_default_realm:false

The value of going to Has_realm_key and Has_default_realm is determined by whether the scan control requires these two functions. (explained in detail later). The login scan control will constantly collect certificates to try one port on a host, so every login scan control will only attempt to log on to a specific service.

How to write a Metasploit login scan (loginscanners) plugin