Class: Metasploit::Framework::LoginScanner::HTTP
- Inherits:
-
Object
- Object
- Metasploit::Framework::LoginScanner::HTTP
- Defined in:
- lib/metasploit/framework/login_scanner/http.rb
Overview
HTTP-specific login scanner.
Direct Known Subclasses
AdvantechWebAccess, Axis2, BavisionCameras, Buffalo, Caidao, ChefWebUI, CiscoFirepower, DirectAdmin, GitLab, Glassfish, IPBoard, Jenkins, Jupyter, ManageEngineDesktopCentral, MyBookLive, Nessus, OctopusDeploy, PhpMyAdmin, Smh, SymantecWebGateway, Tomcat, WinRM, WordpressMulticall, WordpressRPC, Zabbix
Constant Summary collapse
- DEFAULT_REALM =
nil
- DEFAULT_PORT =
80
- DEFAULT_SSL_PORT =
443
- LIKELY_PORTS =
[ 80, 443, 8000, 8080 ]
- LIKELY_SERVICE_NAMES =
[ 'http', 'https' ]
- PRIVATE_TYPES =
[ :password ]
- REALM_KEY =
Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
Instance Attribute Summary collapse
-
#digest_auth_iis ⇒ Boolean
Whether to conform to IIS digest authentication mode.
-
#evade_header_folding ⇒ Boolean
Whether to enable folding of HTTP headers.
-
#evade_method_random_case ⇒ Boolean
Whether to use random casing for the HTTP method.
-
#evade_method_random_invalid ⇒ Boolean
Whether to use a random invalid, HTTP method for request.
-
#evade_method_random_valid ⇒ Boolean
Whether to use a random, but valid, HTTP method for request.
-
#evade_pad_fake_headers ⇒ Boolean
Whether to insert random, fake headers into the HTTP request.
-
#evade_pad_fake_headers_count ⇒ Integer
How many fake headers to insert into the HTTP request.
-
#evade_pad_get_params ⇒ Boolean
Whether to insert random, fake query string variables into the request.
-
#evade_pad_get_params_count ⇒ Integer
How many fake query string variables to insert into the request.
-
#evade_pad_method_uri_count ⇒ Integer
How many whitespace characters to use between the method and uri.
-
#evade_pad_method_uri_type ⇒ String
What type of whitespace to use between the method and uri.
-
#evade_pad_post_params ⇒ Boolean
Whether to insert random, fake post variables into the request.
-
#evade_pad_post_params_count ⇒ Integer
How many fake post variables to insert into the request.
-
#evade_pad_uri_version_count ⇒ Integer
How many whitespace characters to use between the uri and version.
-
#evade_pad_uri_version_type ⇒ String
What type of whitespace to use between the uri and version.
-
#evade_uri_dir_fake_relative ⇒ Boolean
Whether to insert fake relative directories into the uri.
-
#evade_uri_dir_self_reference ⇒ Boolean
Whether to insert self-referential directories into the uri.
-
#evade_uri_encode_mode ⇒ String
The type of URI encoding to use.
-
#evade_uri_fake_end ⇒ Boolean
Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).
-
#evade_uri_fake_params_start ⇒ Boolean
Whether to add a fake start of params to the URI (eg: /%3fa=b/../).
-
#evade_uri_full_url ⇒ Boolean
Whether to use the full URL for all HTTP requests.
-
#evade_uri_use_backslashes ⇒ Boolean
Whether to use back slashes instead of forward slashes in the uri.
-
#evade_version_random_invalid ⇒ Boolean
Whether to use a random invalid, HTTP version for request.
-
#evade_version_random_valid ⇒ Boolean
Whether to use a random, but valid, HTTP version for request.
- #http_password ⇒ String
- #http_username ⇒ String
-
#method ⇒ Object
Returns the value of attribute method.
-
#ntlm_domain ⇒ String
The NTLM domain to use during authentication.
-
#ntlm_send_lm ⇒ Boolean
Whether to always send the LANMAN response (except when NTLMv2_session is specified).
-
#ntlm_send_ntlm ⇒ Boolean
Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses.
-
#ntlm_send_spn ⇒ Boolean
Whether to send an avp of type SPN in the NTLMv2 client blob.
-
#ntlm_use_lm_key ⇒ Boolean
Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent.
-
#ntlm_use_ntlmv2 ⇒ Boolean
Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled.
-
#ntlm_use_ntlmv2_session ⇒ Boolean
Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session.
-
#uri ⇒ String
HTTP method, e.g.
-
#user_agent ⇒ String
The User-Agent to use for the HTTP requests.
-
#vhost ⇒ String
The Virtual Host name for the target Web Server.
Instance Method Summary collapse
-
#attempt_login(credential) ⇒ Result
Attempt a single login with a single credential against the target.
- #check_setup ⇒ Object
-
#send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass
Sends a HTTP request with Rex.
Instance Attribute Details
#digest_auth_iis ⇒ Boolean
Returns Whether to conform to IIS digest authentication mode.
162 163 164 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 162 def digest_auth_iis @digest_auth_iis end |
#evade_header_folding ⇒ Boolean
Returns Whether to enable folding of HTTP headers.
130 131 132 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 130 def evade_header_folding @evade_header_folding end |
#evade_method_random_case ⇒ Boolean
Returns Whether to use random casing for the HTTP method.
74 75 76 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 74 def evade_method_random_case @evade_method_random_case end |
#evade_method_random_invalid ⇒ Boolean
Returns Whether to use a random invalid, HTTP method for request.
70 71 72 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 70 def evade_method_random_invalid @evade_method_random_invalid end |
#evade_method_random_valid ⇒ Boolean
Returns Whether to use a random, but valid, HTTP method for request.
66 67 68 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 66 def evade_method_random_valid @evade_method_random_valid end |
#evade_pad_fake_headers ⇒ Boolean
Returns Whether to insert random, fake headers into the HTTP request.
98 99 100 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 98 def evade_pad_fake_headers @evade_pad_fake_headers end |
#evade_pad_fake_headers_count ⇒ Integer
Returns How many fake headers to insert into the HTTP request.
102 103 104 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 102 def evade_pad_fake_headers_count @evade_pad_fake_headers_count end |
#evade_pad_get_params ⇒ Boolean
Returns Whether to insert random, fake query string variables into the request.
106 107 108 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 106 def evade_pad_get_params @evade_pad_get_params end |
#evade_pad_get_params_count ⇒ Integer
Returns How many fake query string variables to insert into the request.
110 111 112 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 110 def evade_pad_get_params_count @evade_pad_get_params_count end |
#evade_pad_method_uri_count ⇒ Integer
Returns How many whitespace characters to use between the method and uri.
50 51 52 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 50 def evade_pad_method_uri_count @evade_pad_method_uri_count end |
#evade_pad_method_uri_type ⇒ String
Returns What type of whitespace to use between the method and uri.
58 59 60 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 58 def evade_pad_method_uri_type @evade_pad_method_uri_type end |
#evade_pad_post_params ⇒ Boolean
Returns Whether to insert random, fake post variables into the request.
114 115 116 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 114 def evade_pad_post_params @evade_pad_post_params end |
#evade_pad_post_params_count ⇒ Integer
Returns How many fake post variables to insert into the request.
118 119 120 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 118 def evade_pad_post_params_count @evade_pad_post_params_count end |
#evade_pad_uri_version_count ⇒ Integer
Returns How many whitespace characters to use between the uri and version.
54 55 56 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 54 def evade_pad_uri_version_count @evade_pad_uri_version_count end |
#evade_pad_uri_version_type ⇒ String
Returns What type of whitespace to use between the uri and version.
62 63 64 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 62 def evade_pad_uri_version_type @evade_pad_uri_version_type end |
#evade_uri_dir_fake_relative ⇒ Boolean
Returns Whether to insert fake relative directories into the uri.
90 91 92 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 90 def evade_uri_dir_fake_relative @evade_uri_dir_fake_relative end |
#evade_uri_dir_self_reference ⇒ Boolean
Returns Whether to insert self-referential directories into the uri.
86 87 88 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 86 def evade_uri_dir_self_reference @evade_uri_dir_self_reference end |
#evade_uri_encode_mode ⇒ String
Returns The type of URI encoding to use.
42 43 44 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 42 def evade_uri_encode_mode @evade_uri_encode_mode end |
#evade_uri_fake_end ⇒ Boolean
Returns Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).
122 123 124 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 122 def evade_uri_fake_end @evade_uri_fake_end end |
#evade_uri_fake_params_start ⇒ Boolean
Returns Whether to add a fake start of params to the URI (eg: /%3fa=b/../).
126 127 128 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 126 def evade_uri_fake_params_start @evade_uri_fake_params_start end |
#evade_uri_full_url ⇒ Boolean
Returns Whether to use the full URL for all HTTP requests.
46 47 48 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 46 def evade_uri_full_url @evade_uri_full_url end |
#evade_uri_use_backslashes ⇒ Boolean
Returns Whether to use back slashes instead of forward slashes in the uri.
94 95 96 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 94 def evade_uri_use_backslashes @evade_uri_use_backslashes end |
#evade_version_random_invalid ⇒ Boolean
Returns Whether to use a random invalid, HTTP version for request.
82 83 84 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 82 def evade_version_random_invalid @evade_version_random_invalid end |
#evade_version_random_valid ⇒ Boolean
Returns Whether to use a random, but valid, HTTP version for request.
78 79 80 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 78 def evade_version_random_valid @evade_version_random_valid end |
#http_password ⇒ String
170 171 172 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 170 def http_password @http_password end |
#http_username ⇒ String
166 167 168 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 166 def http_username @http_username end |
#method ⇒ Object
Returns the value of attribute method.
30 31 32 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 30 def method @method end |
#ntlm_domain ⇒ String
Returns The NTLM domain to use during authentication.
158 159 160 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 158 def ntlm_domain @ntlm_domain end |
#ntlm_send_lm ⇒ Boolean
Returns Whether to always send the LANMAN response (except when NTLMv2_session is specified).
142 143 144 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 142 def ntlm_send_lm @ntlm_send_lm end |
#ntlm_send_ntlm ⇒ Boolean
Returns Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses.
146 147 148 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 146 def ntlm_send_ntlm @ntlm_send_ntlm end |
#ntlm_send_spn ⇒ Boolean
Returns Whether to send an avp of type SPN in the NTLMv2 client blob.
150 151 152 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 150 def ntlm_send_spn @ntlm_send_spn end |
#ntlm_use_lm_key ⇒ Boolean
Returns Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent.
154 155 156 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 154 def ntlm_use_lm_key @ntlm_use_lm_key end |
#ntlm_use_ntlmv2 ⇒ Boolean
Returns Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled.
138 139 140 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 138 def ntlm_use_ntlmv2 @ntlm_use_ntlmv2 end |
#ntlm_use_ntlmv2_session ⇒ Boolean
Returns Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session.
134 135 136 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 134 def ntlm_use_ntlmv2_session @ntlm_use_ntlmv2_session end |
#uri ⇒ String
Returns HTTP method, e.g. “GET”, “POST”.
26 27 28 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 26 def uri @uri end |
#user_agent ⇒ String
Returns the User-Agent to use for the HTTP requests.
34 35 36 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 34 def user_agent @user_agent end |
#vhost ⇒ String
Returns the Virtual Host name for the target Web Server.
38 39 40 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 38 def vhost @vhost end |
Instance Method Details
#attempt_login(credential) ⇒ Result
Attempt a single login with a single credential against the target.
271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 271 def attempt_login(credential) result_opts = { credential: credential, status: Metasploit::Model::Login::Status::INCORRECT, proof: nil, host: host, port: port, protocol: 'tcp' } if ssl result_opts[:service_name] = 'https' else result_opts[:service_name] = 'http' end begin response = send_request('credential'=>credential, 'uri'=>uri, 'method'=>method) if response && response.code == 200 result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers) end rescue Rex::ConnectionError => e result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e) end Result.new(result_opts) end |
#check_setup ⇒ Object
180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 180 def check_setup http_client = Rex::Proto::Http::Client.new( host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies, http_username, http_password ) request = http_client.request_cgi( 'uri' => uri, 'method' => method ) begin # Use _send_recv instead of send_recv to skip automatic # authentication response = http_client._send_recv(request) rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error return "Unable to connect to target" end if !(response && response.code == 401 && response.headers['WWW-Authenticate']) = "No authentication required" else = false end end |
#send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass
Sends a HTTP request with Rex
218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 218 def send_request(opts) rhost = opts['host'] || host rport = opts['rport'] || port cli_ssl = opts['ssl'] || ssl cli_ssl_version = opts['ssl_version'] || ssl_version cli_proxies = opts['proxies'] || proxies username = opts['credential'] ? opts['credential'].public : http_username password = opts['credential'] ? opts['credential'].private : http_password realm = opts['credential'] ? opts['credential'].realm : nil context = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module} res = nil cli = Rex::Proto::Http::Client.new( rhost, rport, context, cli_ssl, cli_ssl_version, cli_proxies, username, password ) configure_http_client(cli) if realm cli.set_config('domain' => realm) end begin cli.connect req = cli.request_cgi(opts) # Authenticate by default res = if opts['authenticate'].nil? || opts['authenticate'] cli.send_recv(req) else cli._send_recv(req) end rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e raise Rex::ConnectionError, e. ensure cli.close end res end |