documentation/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.md
Symantec Messaging Gateway is an all-in-one appliance to secure email with real-time antispam, antimalware, targeted attacks, content filtering, data loss, and email encryption.
The management console of SMG can be used to recover the AD password by any user with at least read access to the appliance, which could potentially permit leveraging unauthorized, elevated access to other resources of the network.
Authentication is required to use symantec_brightmail_ldapcreds. However, it is possible to see SMG with using the default username admin and symantec.
Symantec Messaging Gateway 10.6.0 and earlier are known to be vulnerable.
symantec_brightmail_ldapcreds was specifically tested against 10.6.0 during development.
These verification steps assume you already have access to the vulnerable version of Symantec Messaging Gateway. During the development of symantec_brightmail_ldapcreds, Symantec was still providing 10.6.0 as a trial.
Installation
The 10.6.0 installation guide can be found here
Make sure you remember your username and password for Symantec Messaging Gateway before using the module.
Using the Module
Once you have the vulnerable setup ready, go ahead and do this:
use auxiliary/scanner/http/symantec_brightmail_ldapcredsset RHOSTS [IP]set USERNAME [USERNAME FOR SMG]set PASSWORD [PASSWORD FOR SMG]run