Class: Metasploit::Framework::LoginScanner::HTTP

Inherits:

Object

• Object
• Metasploit::Framework::LoginScanner::HTTP

Includes:

Base, RexSocket

Defined in:

lib/metasploit/framework/login_scanner/http.rb

Overview

HTTP-specific login scanner.

Direct Known Subclasses

AdvantechWebAccess, Axis2, BavisionCameras, Buffalo, Caidao, ChefWebUI, CiscoFirepower, DirectAdmin, GitLab, Glassfish, IPBoard, Ivanti, Jenkins, Jupyter, ManageEngineDesktopCentral, MyBookLive, Nessus, OPNSense, OctopusDeploy, PfSense, PhpMyAdmin, Smh, SoftingSIS, SonicWall, SymantecWebGateway, SyncoveryFileSyncBackup, TeamCity, Tomcat, WinRM, WordpressMulticall, WordpressRPC, WowzaStreamingEngineManager, Zabbix

Constant Summary

AUTHORIZATION_HEADER =

'WWW-Authenticate'.freeze

DEFAULT_REALM =

nil

DEFAULT_PORT =

80

DEFAULT_SSL_PORT =

443

DEFAULT_HTTP_SUCCESS_CODES =

[200, 201].append(*(300..309))

DEFAULT_HTTP_NOT_AUTHED_CODES =

[401]

LIKELY_PORTS =

[80, 443, 8000, 8080]

LIKELY_SERVICE_NAMES =

%w[http https]

PRIVATE_TYPES =

[:password]

REALM_KEY =

Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Instance Attribute Summary

• #digest_auth_iis ⇒ Boolean

  Whether to conform to IIS digest authentication mode.

• #evade_header_folding ⇒ Boolean

  Whether to enable folding of HTTP headers.

• #evade_method_random_case ⇒ Boolean

  Whether to use random casing for the HTTP method.

• #evade_method_random_invalid ⇒ Boolean

  Whether to use a random invalid, HTTP method for request.

• #evade_method_random_valid ⇒ Boolean

  Whether to use a random, but valid, HTTP method for request.

• #evade_pad_fake_headers ⇒ Boolean

  Whether to insert random, fake headers into the HTTP request.

• #evade_pad_fake_headers_count ⇒ Integer

  How many fake headers to insert into the HTTP request.

• #evade_pad_get_params ⇒ Boolean

  Whether to insert random, fake query string variables into the request.

• #evade_pad_get_params_count ⇒ Integer

  How many fake query string variables to insert into the request.

• #evade_pad_method_uri_count ⇒ Integer

  How many whitespace characters to use between the method and uri.

• #evade_pad_method_uri_type ⇒ String

  What type of whitespace to use between the method and uri.

• #evade_pad_post_params ⇒ Boolean

  Whether to insert random, fake post variables into the request.

• #evade_pad_post_params_count ⇒ Integer

  How many fake post variables to insert into the request.

• #evade_pad_uri_version_count ⇒ Integer

  How many whitespace characters to use between the uri and version.

• #evade_pad_uri_version_type ⇒ String

  What type of whitespace to use between the uri and version.

• #evade_shuffle_get_params ⇒ Boolean

  Randomize order of GET parameters.

• #evade_shuffle_post_params ⇒ Boolean

  Randomize order of POST parameters.

• #evade_uri_dir_fake_relative ⇒ Boolean

  Whether to insert fake relative directories into the uri.

• #evade_uri_dir_self_reference ⇒ Boolean

  Whether to insert self-referential directories into the uri.

• #evade_uri_encode_mode ⇒ String

  The type of URI encoding to use.

• #evade_uri_fake_end ⇒ Boolean

  Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).

• #evade_uri_fake_params_start ⇒ Boolean

  Whether to add a fake start of params to the URI (eg: /%3fa=b/../).

• #evade_uri_full_url ⇒ Boolean

  Whether to use the full URL for all HTTP requests.

• #evade_uri_use_backslashes ⇒ Boolean

  Whether to use back slashes instead of forward slashes in the uri.

• #evade_version_random_invalid ⇒ Boolean

  Whether to use a random invalid, HTTP version for request.

• #evade_version_random_valid ⇒ Boolean

  Whether to use a random, but valid, HTTP version for request.

• #http_password ⇒ String
• #http_success_codes ⇒ Array

  Int

  list of valid http response codes.

• #http_username ⇒ String
• #keep_connection_alive ⇒ Boolean

  Whether to keep the connection open after a successful login.

• #kerberos_authenticator_factory ⇒ Func<username, password, realm> : Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP

  A factory method for creating a kerberos authenticator.

• #method ⇒ Object

  Returns the value of attribute method.

• #ntlm_domain ⇒ String

  The NTLM domain to use during authentication.

• #ntlm_send_lm ⇒ Boolean

  Whether to always send the LANMAN response (except when NTLMv2_session is specified).

• #ntlm_send_ntlm ⇒ Boolean

  Whether to activate the ‘Negotiate NTLM key’ flag, indicating the use of NTLM responses.

• #ntlm_send_spn ⇒ Boolean

  Whether to send an avp of type SPN in the NTLMv2 client blob.

• #ntlm_use_lm_key ⇒ Boolean

  Activate the ‘Negotiate Lan Manager Key’ flag, using the LM key when the LM response is sent.

• #ntlm_use_ntlmv2 ⇒ Boolean

  Whether to use NTLMv2 instead of NTLM2_session when ‘Negotiate NTLM2’ is enabled.

• #ntlm_use_ntlmv2_session ⇒ Boolean

  Whether to activate the ‘Negotiate NTLM2 key’ flag, forcing the use of a NTLMv2_session.

• #uri ⇒ String

  HTTP method, e.g.

• #user_agent ⇒ String

  The User-Agent to use for the HTTP requests.

• #vhost ⇒ String

  The Virtual Host name for the target Web Server.

Instance Method Summary

• #attempt_login(credential) ⇒ Result

  Attempt a single login with a single credential against the target.

• #authentication_required?(response) ⇒ Boolean protected

  Returns a boolean value indicating whether the request requires authentication or not.

• #check_setup ⇒ Object
• #send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass

  Sends a HTTP request with Rex.

Instance Attribute Details

#digest_auth_iis ⇒ Boolean

Returns Whether to conform to IIS digest authentication mode.

Returns:

• (Boolean) —

  Whether to conform to IIS digest authentication mode.

# File 'lib/metasploit/framework/login_scanner/http.rb', line 172

def digest_auth_iis
  @digest_auth_iis
end

#evade_header_folding ⇒ Boolean

Returns Whether to enable folding of HTTP headers.

Returns:

• (Boolean) —

  Whether to enable folding of HTTP headers

# File 'lib/metasploit/framework/login_scanner/http.rb', line 140

def evade_header_folding
  @evade_header_folding
end

#evade_method_random_case ⇒ Boolean

Returns Whether to use random casing for the HTTP method.

Returns:

• (Boolean) —

  Whether to use random casing for the HTTP method

# File 'lib/metasploit/framework/login_scanner/http.rb', line 76

def evade_method_random_case
  @evade_method_random_case
end

#evade_method_random_invalid ⇒ Boolean

Returns Whether to use a random invalid, HTTP method for request.

Returns:

• (Boolean) —

  Whether to use a random invalid, HTTP method for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 72

def evade_method_random_invalid
  @evade_method_random_invalid
end

#evade_method_random_valid ⇒ Boolean

Returns Whether to use a random, but valid, HTTP method for request.

Returns:

• (Boolean) —

  Whether to use a random, but valid, HTTP method for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 68

def evade_method_random_valid
  @evade_method_random_valid
end

#evade_pad_fake_headers ⇒ Boolean

Returns Whether to insert random, fake headers into the HTTP request.

Returns:

• (Boolean) —

  Whether to insert random, fake headers into the HTTP request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 100

def evade_pad_fake_headers
  @evade_pad_fake_headers
end

#evade_pad_fake_headers_count ⇒ Integer

Returns How many fake headers to insert into the HTTP request.

Returns:

• (Integer) —

  How many fake headers to insert into the HTTP request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 104

def evade_pad_fake_headers_count
  @evade_pad_fake_headers_count
end

#evade_pad_get_params ⇒ Boolean

Returns Whether to insert random, fake query string variables into the request.

Returns:

• (Boolean) —

  Whether to insert random, fake query string variables into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 108

def evade_pad_get_params
  @evade_pad_get_params
end

#evade_pad_get_params_count ⇒ Integer

Returns How many fake query string variables to insert into the request.

Returns:

• (Integer) —

  How many fake query string variables to insert into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 112

def evade_pad_get_params_count
  @evade_pad_get_params_count
end

#evade_pad_method_uri_count ⇒ Integer

Returns How many whitespace characters to use between the method and uri.

Returns:

• (Integer) —

  How many whitespace characters to use between the method and uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 52

def evade_pad_method_uri_count
  @evade_pad_method_uri_count
end

#evade_pad_method_uri_type ⇒ String

Returns What type of whitespace to use between the method and uri.

Returns:

• (String) —

  What type of whitespace to use between the method and uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 60

def evade_pad_method_uri_type
  @evade_pad_method_uri_type
end

#evade_pad_post_params ⇒ Boolean

Returns Whether to insert random, fake post variables into the request.

Returns:

• (Boolean) —

  Whether to insert random, fake post variables into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 116

def evade_pad_post_params
  @evade_pad_post_params
end

#evade_pad_post_params_count ⇒ Integer

Returns How many fake post variables to insert into the request.

Returns:

• (Integer) —

  How many fake post variables to insert into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 120

def evade_pad_post_params_count
  @evade_pad_post_params_count
end

#evade_pad_uri_version_count ⇒ Integer

Returns How many whitespace characters to use between the uri and version.

Returns:

• (Integer) —

  How many whitespace characters to use between the uri and version

# File 'lib/metasploit/framework/login_scanner/http.rb', line 56

def evade_pad_uri_version_count
  @evade_pad_uri_version_count
end

#evade_pad_uri_version_type ⇒ String

Returns What type of whitespace to use between the uri and version.

Returns:

• (String) —

  What type of whitespace to use between the uri and version

# File 'lib/metasploit/framework/login_scanner/http.rb', line 64

def evade_pad_uri_version_type
  @evade_pad_uri_version_type
end

#evade_shuffle_get_params ⇒ Boolean

Returns Randomize order of GET parameters.

Returns:

• (Boolean) —

  Randomize order of GET parameters

# File 'lib/metasploit/framework/login_scanner/http.rb', line 124

def evade_shuffle_get_params
  @evade_shuffle_get_params
end

#evade_shuffle_post_params ⇒ Boolean

Returns Randomize order of POST parameters.

Returns:

• (Boolean) —

  Randomize order of POST parameters

# File 'lib/metasploit/framework/login_scanner/http.rb', line 128

def evade_shuffle_post_params
  @evade_shuffle_post_params
end

#evade_uri_dir_fake_relative ⇒ Boolean

Returns Whether to insert fake relative directories into the uri.

Returns:

• (Boolean) —

  Whether to insert fake relative directories into the uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 92

def evade_uri_dir_fake_relative
  @evade_uri_dir_fake_relative
end

#evade_uri_dir_self_reference ⇒ Boolean

Returns Whether to insert self-referential directories into the uri.

Returns:

• (Boolean) —

  Whether to insert self-referential directories into the uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 88

def evade_uri_dir_self_reference
  @evade_uri_dir_self_reference
end

#evade_uri_encode_mode ⇒ String

Returns The type of URI encoding to use.

Returns:

• (String) —

  The type of URI encoding to use

# File 'lib/metasploit/framework/login_scanner/http.rb', line 44

def evade_uri_encode_mode
  @evade_uri_encode_mode
end

#evade_uri_fake_end ⇒ Boolean

Returns Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).

Returns:

• (Boolean) —

  Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 132

def evade_uri_fake_end
  @evade_uri_fake_end
end

#evade_uri_fake_params_start ⇒ Boolean

Returns Whether to add a fake start of params to the URI (eg: /%3fa=b/../).

Returns:

• (Boolean) —

  Whether to add a fake start of params to the URI (eg: /%3fa=b/../)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 136

def evade_uri_fake_params_start
  @evade_uri_fake_params_start
end

#evade_uri_full_url ⇒ Boolean

Returns Whether to use the full URL for all HTTP requests.

Returns:

• (Boolean) —

  Whether to use the full URL for all HTTP requests

# File 'lib/metasploit/framework/login_scanner/http.rb', line 48

def evade_uri_full_url
  @evade_uri_full_url
end

#evade_uri_use_backslashes ⇒ Boolean

Returns Whether to use back slashes instead of forward slashes in the uri.

Returns:

• (Boolean) —

  Whether to use back slashes instead of forward slashes in the uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 96

def evade_uri_use_backslashes
  @evade_uri_use_backslashes
end

#evade_version_random_invalid ⇒ Boolean

Returns Whether to use a random invalid, HTTP version for request.

Returns:

• (Boolean) —

  Whether to use a random invalid, HTTP version for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 84

def evade_version_random_invalid
  @evade_version_random_invalid
end

#evade_version_random_valid ⇒ Boolean

Returns Whether to use a random, but valid, HTTP version for request.

Returns:

• (Boolean) —

  Whether to use a random, but valid, HTTP version for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 80

def evade_version_random_valid
  @evade_version_random_valid
end

#http_password ⇒ String

Returns:

• (String)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 180

def http_password
  @http_password
end

#http_success_codes ⇒ Array

Returns [Int] list of valid http response codes.

Returns:

• (Array) —

  Int

  list of valid http response codes

# File 'lib/metasploit/framework/login_scanner/http.rb', line 192

def http_success_codes
  @http_success_codes
end

#http_username ⇒ String

Returns:

• (String)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 176

def http_username
  @http_username
end

#keep_connection_alive ⇒ Boolean

Returns Whether to keep the connection open after a successful login.

Returns:

• (Boolean) —

  Whether to keep the connection open after a successful login

# File 'lib/metasploit/framework/login_scanner/http.rb', line 188

def keep_connection_alive
  @keep_connection_alive
end

#kerberos_authenticator_factory ⇒ Func<username, password, realm> : Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP

Returns A factory method for creating a kerberos authenticator.

Returns:

• (Func<username, password, realm> : Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP) —

  A factory method for creating a kerberos authenticator

# File 'lib/metasploit/framework/login_scanner/http.rb', line 184

def kerberos_authenticator_factory
  @kerberos_authenticator_factory
end

#method ⇒ Object

Returns the value of attribute method.

# File 'lib/metasploit/framework/login_scanner/http.rb', line 32

def method
  @method
end

#ntlm_domain ⇒ String

Returns The NTLM domain to use during authentication.

Returns:

• (String) —

  The NTLM domain to use during authentication

# File 'lib/metasploit/framework/login_scanner/http.rb', line 168

def ntlm_domain
  @ntlm_domain
end

#ntlm_send_lm ⇒ Boolean

Returns Whether to always send the LANMAN response (except when NTLMv2_session is specified).

Returns:

• (Boolean) —

  Whether to always send the LANMAN response (except when NTLMv2_session is specified)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 152

def ntlm_send_lm
  @ntlm_send_lm
end

#ntlm_send_ntlm ⇒ Boolean

Returns Whether to activate the ‘Negotiate NTLM key’ flag, indicating the use of NTLM responses.

Returns:

• (Boolean) —

  Whether to activate the ‘Negotiate NTLM key’ flag, indicating the use of NTLM responses

# File 'lib/metasploit/framework/login_scanner/http.rb', line 156

def ntlm_send_ntlm
  @ntlm_send_ntlm
end

#ntlm_send_spn ⇒ Boolean

Returns Whether to send an avp of type SPN in the NTLMv2 client blob.

Returns:

• (Boolean) —

  Whether to send an avp of type SPN in the NTLMv2 client blob.

# File 'lib/metasploit/framework/login_scanner/http.rb', line 160

def ntlm_send_spn
  @ntlm_send_spn
end

#ntlm_use_lm_key ⇒ Boolean

Returns Activate the ‘Negotiate Lan Manager Key’ flag, using the LM key when the LM response is sent.

Returns:

• (Boolean) —

  Activate the ‘Negotiate Lan Manager Key’ flag, using the LM key when the LM response is sent

# File 'lib/metasploit/framework/login_scanner/http.rb', line 164

def ntlm_use_lm_key
  @ntlm_use_lm_key
end

#ntlm_use_ntlmv2 ⇒ Boolean

Returns Whether to use NTLMv2 instead of NTLM2_session when ‘Negotiate NTLM2’ is enabled.

Returns:

• (Boolean) —

  Whether to use NTLMv2 instead of NTLM2_session when ‘Negotiate NTLM2’ is enabled

# File 'lib/metasploit/framework/login_scanner/http.rb', line 148

def ntlm_use_ntlmv2
  @ntlm_use_ntlmv2
end

#ntlm_use_ntlmv2_session ⇒ Boolean

Returns Whether to activate the ‘Negotiate NTLM2 key’ flag, forcing the use of a NTLMv2_session.

Returns:

• (Boolean) —

  Whether to activate the ‘Negotiate NTLM2 key’ flag, forcing the use of a NTLMv2_session

# File 'lib/metasploit/framework/login_scanner/http.rb', line 144

def ntlm_use_ntlmv2_session
  @ntlm_use_ntlmv2_session
end

#uri ⇒ String

Returns HTTP method, e.g. “GET”, “POST”.

Returns:

• (String) —

  HTTP method, e.g. “GET”, “POST”

# File 'lib/metasploit/framework/login_scanner/http.rb', line 28

def uri
  @uri
end

#user_agent ⇒ String

Returns the User-Agent to use for the HTTP requests.

Returns:

• (String) —

  the User-Agent to use for the HTTP requests

# File 'lib/metasploit/framework/login_scanner/http.rb', line 36

def user_agent
  @user_agent
end

#vhost ⇒ String

Returns the Virtual Host name for the target Web Server.

Returns:

• (String) —

  the Virtual Host name for the target Web Server

# File 'lib/metasploit/framework/login_scanner/http.rb', line 40

def vhost
  @vhost
end

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempt a single login with a single credential against the target.

Parameters:

• credential (Credential) —

  The credential object to attempt to login with.

Returns:

• (Result) —

  A Result object indicating success or failure

# File 'lib/metasploit/framework/login_scanner/http.rb', line 273

def attempt_login(credential)
  result_opts = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp'
  }

  if ssl
    result_opts[:service_name] = 'https'
  else
    result_opts[:service_name] = 'http'
  end

  request_opts = {'credential'=>credential, 'uri'=>uri, 'method'=>method}
  if keep_connection_alive
    request_opts[:http_client] = create_client(request_opts)
  end

  begin
    response = send_request(request_opts)
    if response && http_success_codes.include?(response.code)
      result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers)
    end
  rescue Rex::ConnectionError => e
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
  rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e
    mapped_err = Metasploit::Framework::LoginScanner::Kerberos.login_status_for_kerberos_error(e)
    result_opts.merge!(status: mapped_err, proof: e)
  ensure
    if request_opts.key?(:http_client)
      if result_opts[:status] == Metasploit::Model::Login::Status::SUCCESSFUL
        result_opts[:connection] = request_opts[:http_client]
      else
        request_opts[:http_client].close
      end
    end
  end

  Result.new(result_opts)
end

#authentication_required?(response) ⇒ Boolean (protected)

Returns a boolean value indicating whether the request requires authentication or not.

Parameters:

• response (Rex::Proto::Http::Response) —

  The response received from the HTTP endpoint

Returns:

• (Boolean) —

  True if the request required authentication; otherwise false.

# File 'lib/metasploit/framework/login_scanner/http.rb', line 323

def authentication_required?(response)
  return false unless response

  self.class::DEFAULT_HTTP_NOT_AUTHED_CODES.include?(response.code) &&
    response.headers[self.class::AUTHORIZATION_HEADER]
end

#check_setup ⇒ Object

# File 'lib/metasploit/framework/login_scanner/http.rb', line 203

def check_setup
  http_client = Rex::Proto::Http::Client.new(
    host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies, http_username, http_password
  )
  request = http_client.request_cgi(
    'uri' => uri,
    'method' => method
  )

  begin
    # Use _send_recv instead of send_recv to skip automatic
    # authentication
    response = http_client._send_recv(request)
  rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error
    return 'Unable to connect to target'
  end

  if authentication_required?(response)
    return false
  end

  'No authentication required'
end

#send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass

Sends a HTTP request with Rex

Parameters:

• opts (Hash) —

  native support includes the following (also see Rex::Proto::Http::Request#request_cgi)

Options Hash (opts):

• 'host' (String) —

  The remote host

• 'port' (Integer) —

  The remote port

• 'ssl' (Boolean) —

  The SSL setting, TrueClass or FalseClass

• 'proxies' (String) —

  The proxies setting

• 'credential' (Credential) —

  A credential object

• 'http_client' (Rex::Proto::Http::Client) —

  object that can be used by the function

• 'context' ('Hash') —

  A context

Returns:

• (Rex::Proto::Http::Response) —

  The HTTP response

• (NilClass) —

  An error has occurred while reading the response (see #Rex::Proto::Http::Client#read_response)

Raises:

• (Rex::ConnectionError) —

  One of these errors has occurred: EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error

# File 'lib/metasploit/framework/login_scanner/http.rb', line 240

def send_request(opts)
  close_client = !opts.key?(:http_client)
  cli = opts.fetch(:http_client) { create_client(opts) }

  begin
    cli.connect
    req = cli.request_cgi(opts)

    # Authenticate by default
    res = if opts['authenticate'].nil? || opts['authenticate']
            cli.send_recv(req)
          else
            cli._send_recv(req)
          end
  rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
    raise Rex::ConnectionError, e.message
  ensure
    # If we didn't create the client, don't close it
    if close_client
      cli.close
    end
  end

  res
end