Class: Metasploit::Framework::LoginScanner::HTTP

Inherits:

Object

• Object
• Metasploit::Framework::LoginScanner::HTTP

Includes:

Base, RexSocket

Defined in:

lib/metasploit/framework/login_scanner/http.rb

Overview

HTTP-specific login scanner.

Direct Known Subclasses

AdvantechWebAccess, Axis2, BavisionCameras, Buffalo, Caidao, ChefWebUI, CiscoFirepower, DirectAdmin, GitLab, Glassfish, IPBoard, Jenkins, Jupyter, ManageEngineDesktopCentral, MyBookLive, Nessus, OctopusDeploy, PhpMyAdmin, Smh, SymantecWebGateway, SyncoveryFileSyncBackup, Tomcat, WinRM, WordpressMulticall, WordpressRPC, Zabbix

Constant Summary

DEFAULT_REALM =

nil

DEFAULT_PORT =

80

DEFAULT_SSL_PORT =

443

DEFAULT_HTTP_SUCCESS_CODES =

[ 200, 201 ].append(*(300..309))

LIKELY_PORTS =

[ 80, 443, 8000, 8080 ]

LIKELY_SERVICE_NAMES =

[ 'http', 'https' ]

PRIVATE_TYPES =

[ :password ]

REALM_KEY =

Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Instance Attribute Summary

• #digest_auth_iis ⇒ Boolean

  Whether to conform to IIS digest authentication mode.

• #evade_header_folding ⇒ Boolean

  Whether to enable folding of HTTP headers.

• #evade_method_random_case ⇒ Boolean

  Whether to use random casing for the HTTP method.

• #evade_method_random_invalid ⇒ Boolean

  Whether to use a random invalid, HTTP method for request.

• #evade_method_random_valid ⇒ Boolean

  Whether to use a random, but valid, HTTP method for request.

• #evade_pad_fake_headers ⇒ Boolean

  Whether to insert random, fake headers into the HTTP request.

• #evade_pad_fake_headers_count ⇒ Integer

  How many fake headers to insert into the HTTP request.

• #evade_pad_get_params ⇒ Boolean

  Whether to insert random, fake query string variables into the request.

• #evade_pad_get_params_count ⇒ Integer

  How many fake query string variables to insert into the request.

• #evade_pad_method_uri_count ⇒ Integer

  How many whitespace characters to use between the method and uri.

• #evade_pad_method_uri_type ⇒ String

  What type of whitespace to use between the method and uri.

• #evade_pad_post_params ⇒ Boolean

  Whether to insert random, fake post variables into the request.

• #evade_pad_post_params_count ⇒ Integer

  How many fake post variables to insert into the request.

• #evade_pad_uri_version_count ⇒ Integer

  How many whitespace characters to use between the uri and version.

• #evade_pad_uri_version_type ⇒ String

  What type of whitespace to use between the uri and version.

• #evade_shuffle_get_params ⇒ Boolean

  Randomize order of GET parameters.

• #evade_shuffle_post_params ⇒ Boolean

  Randomize order of POST parameters.

• #evade_uri_dir_fake_relative ⇒ Boolean

  Whether to insert fake relative directories into the uri.

• #evade_uri_dir_self_reference ⇒ Boolean

  Whether to insert self-referential directories into the uri.

• #evade_uri_encode_mode ⇒ String

  The type of URI encoding to use.

• #evade_uri_fake_end ⇒ Boolean

  Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).

• #evade_uri_fake_params_start ⇒ Boolean

  Whether to add a fake start of params to the URI (eg: /%3fa=b/../).

• #evade_uri_full_url ⇒ Boolean

  Whether to use the full URL for all HTTP requests.

• #evade_uri_use_backslashes ⇒ Boolean

  Whether to use back slashes instead of forward slashes in the uri.

• #evade_version_random_invalid ⇒ Boolean

  Whether to use a random invalid, HTTP version for request.

• #evade_version_random_valid ⇒ Boolean

  Whether to use a random, but valid, HTTP version for request.

• #http_password ⇒ String
• #http_success_codes ⇒ Array

  Int

  list of valid http response codes.

• #http_username ⇒ String
• #method ⇒ Object

  Returns the value of attribute method.

• #ntlm_domain ⇒ String

  The NTLM domain to use during authentication.

• #ntlm_send_lm ⇒ Boolean

  Whether to always send the LANMAN response (except when NTLMv2_session is specified).

• #ntlm_send_ntlm ⇒ Boolean

  Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses.

• #ntlm_send_spn ⇒ Boolean

  Whether to send an avp of type SPN in the NTLMv2 client blob.

• #ntlm_use_lm_key ⇒ Boolean

  Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent.

• #ntlm_use_ntlmv2 ⇒ Boolean

  Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled.

• #ntlm_use_ntlmv2_session ⇒ Boolean

  Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session.

• #uri ⇒ String

  HTTP method, e.g.

• #user_agent ⇒ String

  The User-Agent to use for the HTTP requests.

• #vhost ⇒ String

  The Virtual Host name for the target Web Server.

Instance Method Summary

• #attempt_login(credential) ⇒ Result

  Attempt a single login with a single credential against the target.

• #check_setup ⇒ Object
• #send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass

  Sends a HTTP request with Rex.

Instance Attribute Details

#digest_auth_iis ⇒ Boolean

Returns Whether to conform to IIS digest authentication mode.

Returns:

• (Boolean) —

  Whether to conform to IIS digest authentication mode.

# File 'lib/metasploit/framework/login_scanner/http.rb', line 171

def digest_auth_iis
  @digest_auth_iis
end

#evade_header_folding ⇒ Boolean

Returns Whether to enable folding of HTTP headers.

Returns:

• (Boolean) —

  Whether to enable folding of HTTP headers

# File 'lib/metasploit/framework/login_scanner/http.rb', line 139

def evade_header_folding
  @evade_header_folding
end

#evade_method_random_case ⇒ Boolean

Returns Whether to use random casing for the HTTP method.

Returns:

• (Boolean) —

  Whether to use random casing for the HTTP method

# File 'lib/metasploit/framework/login_scanner/http.rb', line 75

def evade_method_random_case
  @evade_method_random_case
end

#evade_method_random_invalid ⇒ Boolean

Returns Whether to use a random invalid, HTTP method for request.

Returns:

• (Boolean) —

  Whether to use a random invalid, HTTP method for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 71

def evade_method_random_invalid
  @evade_method_random_invalid
end

#evade_method_random_valid ⇒ Boolean

Returns Whether to use a random, but valid, HTTP method for request.

Returns:

• (Boolean) —

  Whether to use a random, but valid, HTTP method for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 67

def evade_method_random_valid
  @evade_method_random_valid
end

#evade_pad_fake_headers ⇒ Boolean

Returns Whether to insert random, fake headers into the HTTP request.

Returns:

• (Boolean) —

  Whether to insert random, fake headers into the HTTP request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 99

def evade_pad_fake_headers
  @evade_pad_fake_headers
end

#evade_pad_fake_headers_count ⇒ Integer

Returns How many fake headers to insert into the HTTP request.

Returns:

• (Integer) —

  How many fake headers to insert into the HTTP request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 103

def evade_pad_fake_headers_count
  @evade_pad_fake_headers_count
end

#evade_pad_get_params ⇒ Boolean

Returns Whether to insert random, fake query string variables into the request.

Returns:

• (Boolean) —

  Whether to insert random, fake query string variables into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 107

def evade_pad_get_params
  @evade_pad_get_params
end

#evade_pad_get_params_count ⇒ Integer

Returns How many fake query string variables to insert into the request.

Returns:

• (Integer) —

  How many fake query string variables to insert into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 111

def evade_pad_get_params_count
  @evade_pad_get_params_count
end

#evade_pad_method_uri_count ⇒ Integer

Returns How many whitespace characters to use between the method and uri.

Returns:

• (Integer) —

  How many whitespace characters to use between the method and uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 51

def evade_pad_method_uri_count
  @evade_pad_method_uri_count
end

#evade_pad_method_uri_type ⇒ String

Returns What type of whitespace to use between the method and uri.

Returns:

• (String) —

  What type of whitespace to use between the method and uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 59

def evade_pad_method_uri_type
  @evade_pad_method_uri_type
end

#evade_pad_post_params ⇒ Boolean

Returns Whether to insert random, fake post variables into the request.

Returns:

• (Boolean) —

  Whether to insert random, fake post variables into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 115

def evade_pad_post_params
  @evade_pad_post_params
end

#evade_pad_post_params_count ⇒ Integer

Returns How many fake post variables to insert into the request.

Returns:

• (Integer) —

  How many fake post variables to insert into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 119

def evade_pad_post_params_count
  @evade_pad_post_params_count
end

#evade_pad_uri_version_count ⇒ Integer

Returns How many whitespace characters to use between the uri and version.

Returns:

• (Integer) —

  How many whitespace characters to use between the uri and version

# File 'lib/metasploit/framework/login_scanner/http.rb', line 55

def evade_pad_uri_version_count
  @evade_pad_uri_version_count
end

#evade_pad_uri_version_type ⇒ String

Returns What type of whitespace to use between the uri and version.

Returns:

• (String) —

  What type of whitespace to use between the uri and version

# File 'lib/metasploit/framework/login_scanner/http.rb', line 63

def evade_pad_uri_version_type
  @evade_pad_uri_version_type
end

#evade_shuffle_get_params ⇒ Boolean

Returns Randomize order of GET parameters.

Returns:

• (Boolean) —

  Randomize order of GET parameters

# File 'lib/metasploit/framework/login_scanner/http.rb', line 123

def evade_shuffle_get_params
  @evade_shuffle_get_params
end

#evade_shuffle_post_params ⇒ Boolean

Returns Randomize order of POST parameters.

Returns:

• (Boolean) —

  Randomize order of POST parameters

# File 'lib/metasploit/framework/login_scanner/http.rb', line 127

def evade_shuffle_post_params
  @evade_shuffle_post_params
end

#evade_uri_dir_fake_relative ⇒ Boolean

Returns Whether to insert fake relative directories into the uri.

Returns:

• (Boolean) —

  Whether to insert fake relative directories into the uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 91

def evade_uri_dir_fake_relative
  @evade_uri_dir_fake_relative
end

#evade_uri_dir_self_reference ⇒ Boolean

Returns Whether to insert self-referential directories into the uri.

Returns:

• (Boolean) —

  Whether to insert self-referential directories into the uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 87

def evade_uri_dir_self_reference
  @evade_uri_dir_self_reference
end

#evade_uri_encode_mode ⇒ String

Returns The type of URI encoding to use.

Returns:

• (String) —

  The type of URI encoding to use

# File 'lib/metasploit/framework/login_scanner/http.rb', line 43

def evade_uri_encode_mode
  @evade_uri_encode_mode
end

#evade_uri_fake_end ⇒ Boolean

Returns Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).

Returns:

• (Boolean) —

  Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 131

def evade_uri_fake_end
  @evade_uri_fake_end
end

#evade_uri_fake_params_start ⇒ Boolean

Returns Whether to add a fake start of params to the URI (eg: /%3fa=b/../).

Returns:

• (Boolean) —

  Whether to add a fake start of params to the URI (eg: /%3fa=b/../)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 135

def evade_uri_fake_params_start
  @evade_uri_fake_params_start
end

#evade_uri_full_url ⇒ Boolean

Returns Whether to use the full URL for all HTTP requests.

Returns:

• (Boolean) —

  Whether to use the full URL for all HTTP requests

# File 'lib/metasploit/framework/login_scanner/http.rb', line 47

def evade_uri_full_url
  @evade_uri_full_url
end

#evade_uri_use_backslashes ⇒ Boolean

Returns Whether to use back slashes instead of forward slashes in the uri.

Returns:

• (Boolean) —

  Whether to use back slashes instead of forward slashes in the uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 95

def evade_uri_use_backslashes
  @evade_uri_use_backslashes
end

#evade_version_random_invalid ⇒ Boolean

Returns Whether to use a random invalid, HTTP version for request.

Returns:

• (Boolean) —

  Whether to use a random invalid, HTTP version for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 83

def evade_version_random_invalid
  @evade_version_random_invalid
end

#evade_version_random_valid ⇒ Boolean

Returns Whether to use a random, but valid, HTTP version for request.

Returns:

• (Boolean) —

  Whether to use a random, but valid, HTTP version for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 79

def evade_version_random_valid
  @evade_version_random_valid
end

#http_password ⇒ String

Returns:

• (String)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 179

def http_password
  @http_password
end

#http_success_codes ⇒ Array

Returns [Int] list of valid http response codes.

Returns:

• (Array) —

  Int

  list of valid http response codes

# File 'lib/metasploit/framework/login_scanner/http.rb', line 183

def http_success_codes
  @http_success_codes
end

#http_username ⇒ String

Returns:

• (String)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 175

def http_username
  @http_username
end

#method ⇒ Object

Returns the value of attribute method.

# File 'lib/metasploit/framework/login_scanner/http.rb', line 31

def method
  @method
end

#ntlm_domain ⇒ String

Returns The NTLM domain to use during authentication.

Returns:

• (String) —

  The NTLM domain to use during authentication

# File 'lib/metasploit/framework/login_scanner/http.rb', line 167

def ntlm_domain
  @ntlm_domain
end

#ntlm_send_lm ⇒ Boolean

Returns Whether to always send the LANMAN response (except when NTLMv2_session is specified).

Returns:

• (Boolean) —

  Whether to always send the LANMAN response (except when NTLMv2_session is specified)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 151

def ntlm_send_lm
  @ntlm_send_lm
end

#ntlm_send_ntlm ⇒ Boolean

Returns Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses.

Returns:

• (Boolean) —

  Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses

# File 'lib/metasploit/framework/login_scanner/http.rb', line 155

def ntlm_send_ntlm
  @ntlm_send_ntlm
end

#ntlm_send_spn ⇒ Boolean

Returns Whether to send an avp of type SPN in the NTLMv2 client blob.

Returns:

• (Boolean) —

  Whether to send an avp of type SPN in the NTLMv2 client blob.

# File 'lib/metasploit/framework/login_scanner/http.rb', line 159

def ntlm_send_spn
  @ntlm_send_spn
end

#ntlm_use_lm_key ⇒ Boolean

Returns Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent.

Returns:

• (Boolean) —

  Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent

# File 'lib/metasploit/framework/login_scanner/http.rb', line 163

def ntlm_use_lm_key
  @ntlm_use_lm_key
end

#ntlm_use_ntlmv2 ⇒ Boolean

Returns Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled.

Returns:

• (Boolean) —

  Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled

# File 'lib/metasploit/framework/login_scanner/http.rb', line 147

def ntlm_use_ntlmv2
  @ntlm_use_ntlmv2
end

#ntlm_use_ntlmv2_session ⇒ Boolean

Returns Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session.

Returns:

• (Boolean) —

  Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session

# File 'lib/metasploit/framework/login_scanner/http.rb', line 143

def ntlm_use_ntlmv2_session
  @ntlm_use_ntlmv2_session
end

#uri ⇒ String

Returns HTTP method, e.g. “GET”, “POST”.

Returns:

• (String) —

  HTTP method, e.g. “GET”, “POST”

# File 'lib/metasploit/framework/login_scanner/http.rb', line 27

def uri
  @uri
end

#user_agent ⇒ String

Returns the User-Agent to use for the HTTP requests.

Returns:

• (String) —

  the User-Agent to use for the HTTP requests

# File 'lib/metasploit/framework/login_scanner/http.rb', line 35

def user_agent
  @user_agent
end

#vhost ⇒ String

Returns the Virtual Host name for the target Web Server.

Returns:

• (String) —

  the Virtual Host name for the target Web Server

# File 'lib/metasploit/framework/login_scanner/http.rb', line 39

def vhost
  @vhost
end

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempt a single login with a single credential against the target.

Parameters:

• credential (Credential) —

  The credential object to attempt to login with.

Returns:

• (Result) —

  A Result object indicating success or failure

# File 'lib/metasploit/framework/login_scanner/http.rb', line 286

def attempt_login(credential)
  result_opts = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp'
  }

  if ssl
    result_opts[:service_name] = 'https'
  else
    result_opts[:service_name] = 'http'
  end

  begin
    response = send_request('credential'=>credential, 'uri'=>uri, 'method'=>method)
    if response && http_success_codes.include?(response.code)
      result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers)
    end
  rescue Rex::ConnectionError => e
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
  end

  Result.new(result_opts)
end

#check_setup ⇒ Object

# File 'lib/metasploit/framework/login_scanner/http.rb', line 195

def check_setup
  http_client = Rex::Proto::Http::Client.new(
    host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies, http_username, http_password
  )
  request = http_client.request_cgi(
    'uri' => uri,
    'method' => method
  )

  begin
    # Use _send_recv instead of send_recv to skip automatic
    # authentication
    response = http_client._send_recv(request)
  rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error
    return "Unable to connect to target"
  end

  if !(response && response.code == 401 && response.headers['WWW-Authenticate'])
    error_message = "No authentication required"
  else
    error_message = false
  end

  error_message
end

#send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass

Sends a HTTP request with Rex

Parameters:

• opts (Hash) —

  native support includes the following (also see Rex::Proto::Http::Request#request_cgi)

Options Hash (opts):

• 'host' (String) —

  The remote host

• 'port' (Integer) —

  The remote port

• 'ssl' (Boolean) —

  The SSL setting, TrueClass or FalseClass

• 'proxies' (String) —

  The proxies setting

• 'credential' (Credential) —

  A credential object

• 'context' ('Hash') —

  A context

Returns:

• (Rex::Proto::Http::Response) —

  The HTTP response

• (NilClass) —

  An error has occured while reading the response (see #Rex::Proto::Http::Client#read_response)

Raises:

• (Rex::ConnectionError) —

  One of these errors has occured: EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error

# File 'lib/metasploit/framework/login_scanner/http.rb', line 233

def send_request(opts)
  rhost           = opts['host'] || host
  rport           = opts['rport'] || port
  cli_ssl         = opts['ssl'] || ssl
  cli_ssl_version = opts['ssl_version'] || ssl_version
  cli_proxies     = opts['proxies'] || proxies
  username        = opts['credential'] ? opts['credential'].public : http_username
  password        = opts['credential'] ? opts['credential'].private : http_password
  realm           = opts['credential'] ? opts['credential'].realm : nil
  context         = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module}

  res = nil
  cli = Rex::Proto::Http::Client.new(
    rhost,
    rport,
    context,
    cli_ssl,
    cli_ssl_version,
    cli_proxies,
    username,
    password
  )
  configure_http_client(cli)

  if realm
    cli.set_config('domain' => realm)
  end

  begin
    cli.connect
    req = cli.request_cgi(opts)
    # Authenticate by default
    res = if opts['authenticate'].nil? || opts['authenticate']
            cli.send_recv(req)
          else
            cli._send_recv(req)
          end
  rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
    raise Rex::ConnectionError, e.message
  ensure
    cli.close
  end

  res
end