Class: Metasploit::Framework::LoginScanner::HTTP

Inherits:
Object
  • Object
show all
Includes:
Base, RexSocket
Defined in:
lib/metasploit/framework/login_scanner/http.rb

Overview

HTTP-specific login scanner.

Constant Summary collapse

DEFAULT_REALM =
nil
DEFAULT_PORT =
80
DEFAULT_SSL_PORT =
443
DEFAULT_HTTP_SUCCESS_CODES =
[ 200, 201 ].append(*(300..309))
LIKELY_PORTS =
[ 80, 443, 8000, 8080 ]
LIKELY_SERVICE_NAMES =
[ 'http', 'https' ]
PRIVATE_TYPES =
[ :password ]
REALM_KEY =
Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#digest_auth_iisBoolean

Returns Whether to conform to IIS digest authentication mode.

Returns:

  • (Boolean)

    Whether to conform to IIS digest authentication mode.



171
172
173
# File 'lib/metasploit/framework/login_scanner/http.rb', line 171

def digest_auth_iis
  @digest_auth_iis
end

#evade_header_foldingBoolean

Returns Whether to enable folding of HTTP headers.

Returns:

  • (Boolean)

    Whether to enable folding of HTTP headers



139
140
141
# File 'lib/metasploit/framework/login_scanner/http.rb', line 139

def evade_header_folding
  @evade_header_folding
end

#evade_method_random_caseBoolean

Returns Whether to use random casing for the HTTP method.

Returns:

  • (Boolean)

    Whether to use random casing for the HTTP method



75
76
77
# File 'lib/metasploit/framework/login_scanner/http.rb', line 75

def evade_method_random_case
  @evade_method_random_case
end

#evade_method_random_invalidBoolean

Returns Whether to use a random invalid, HTTP method for request.

Returns:

  • (Boolean)

    Whether to use a random invalid, HTTP method for request



71
72
73
# File 'lib/metasploit/framework/login_scanner/http.rb', line 71

def evade_method_random_invalid
  @evade_method_random_invalid
end

#evade_method_random_validBoolean

Returns Whether to use a random, but valid, HTTP method for request.

Returns:

  • (Boolean)

    Whether to use a random, but valid, HTTP method for request



67
68
69
# File 'lib/metasploit/framework/login_scanner/http.rb', line 67

def evade_method_random_valid
  @evade_method_random_valid
end

#evade_pad_fake_headersBoolean

Returns Whether to insert random, fake headers into the HTTP request.

Returns:

  • (Boolean)

    Whether to insert random, fake headers into the HTTP request



99
100
101
# File 'lib/metasploit/framework/login_scanner/http.rb', line 99

def evade_pad_fake_headers
  @evade_pad_fake_headers
end

#evade_pad_fake_headers_countInteger

Returns How many fake headers to insert into the HTTP request.

Returns:

  • (Integer)

    How many fake headers to insert into the HTTP request



103
104
105
# File 'lib/metasploit/framework/login_scanner/http.rb', line 103

def evade_pad_fake_headers_count
  @evade_pad_fake_headers_count
end

#evade_pad_get_paramsBoolean

Returns Whether to insert random, fake query string variables into the request.

Returns:

  • (Boolean)

    Whether to insert random, fake query string variables into the request



107
108
109
# File 'lib/metasploit/framework/login_scanner/http.rb', line 107

def evade_pad_get_params
  @evade_pad_get_params
end

#evade_pad_get_params_countInteger

Returns How many fake query string variables to insert into the request.

Returns:

  • (Integer)

    How many fake query string variables to insert into the request



111
112
113
# File 'lib/metasploit/framework/login_scanner/http.rb', line 111

def evade_pad_get_params_count
  @evade_pad_get_params_count
end

#evade_pad_method_uri_countInteger

Returns How many whitespace characters to use between the method and uri.

Returns:

  • (Integer)

    How many whitespace characters to use between the method and uri



51
52
53
# File 'lib/metasploit/framework/login_scanner/http.rb', line 51

def evade_pad_method_uri_count
  @evade_pad_method_uri_count
end

#evade_pad_method_uri_typeString

Returns What type of whitespace to use between the method and uri.

Returns:

  • (String)

    What type of whitespace to use between the method and uri



59
60
61
# File 'lib/metasploit/framework/login_scanner/http.rb', line 59

def evade_pad_method_uri_type
  @evade_pad_method_uri_type
end

#evade_pad_post_paramsBoolean

Returns Whether to insert random, fake post variables into the request.

Returns:

  • (Boolean)

    Whether to insert random, fake post variables into the request



115
116
117
# File 'lib/metasploit/framework/login_scanner/http.rb', line 115

def evade_pad_post_params
  @evade_pad_post_params
end

#evade_pad_post_params_countInteger

Returns How many fake post variables to insert into the request.

Returns:

  • (Integer)

    How many fake post variables to insert into the request



119
120
121
# File 'lib/metasploit/framework/login_scanner/http.rb', line 119

def evade_pad_post_params_count
  @evade_pad_post_params_count
end

#evade_pad_uri_version_countInteger

Returns How many whitespace characters to use between the uri and version.

Returns:

  • (Integer)

    How many whitespace characters to use between the uri and version



55
56
57
# File 'lib/metasploit/framework/login_scanner/http.rb', line 55

def evade_pad_uri_version_count
  @evade_pad_uri_version_count
end

#evade_pad_uri_version_typeString

Returns What type of whitespace to use between the uri and version.

Returns:

  • (String)

    What type of whitespace to use between the uri and version



63
64
65
# File 'lib/metasploit/framework/login_scanner/http.rb', line 63

def evade_pad_uri_version_type
  @evade_pad_uri_version_type
end

#evade_shuffle_get_paramsBoolean

Returns Randomize order of GET parameters.

Returns:

  • (Boolean)

    Randomize order of GET parameters



123
124
125
# File 'lib/metasploit/framework/login_scanner/http.rb', line 123

def evade_shuffle_get_params
  @evade_shuffle_get_params
end

#evade_shuffle_post_paramsBoolean

Returns Randomize order of POST parameters.

Returns:

  • (Boolean)

    Randomize order of POST parameters



127
128
129
# File 'lib/metasploit/framework/login_scanner/http.rb', line 127

def evade_shuffle_post_params
  @evade_shuffle_post_params
end

#evade_uri_dir_fake_relativeBoolean

Returns Whether to insert fake relative directories into the uri.

Returns:

  • (Boolean)

    Whether to insert fake relative directories into the uri



91
92
93
# File 'lib/metasploit/framework/login_scanner/http.rb', line 91

def evade_uri_dir_fake_relative
  @evade_uri_dir_fake_relative
end

#evade_uri_dir_self_referenceBoolean

Returns Whether to insert self-referential directories into the uri.

Returns:

  • (Boolean)

    Whether to insert self-referential directories into the uri



87
88
89
# File 'lib/metasploit/framework/login_scanner/http.rb', line 87

def evade_uri_dir_self_reference
  @evade_uri_dir_self_reference
end

#evade_uri_encode_modeString

Returns The type of URI encoding to use.

Returns:

  • (String)

    The type of URI encoding to use



43
44
45
# File 'lib/metasploit/framework/login_scanner/http.rb', line 43

def evade_uri_encode_mode
  @evade_uri_encode_mode
end

#evade_uri_fake_endBoolean

Returns Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).

Returns:

  • (Boolean)

    Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../)



131
132
133
# File 'lib/metasploit/framework/login_scanner/http.rb', line 131

def evade_uri_fake_end
  @evade_uri_fake_end
end

#evade_uri_fake_params_startBoolean

Returns Whether to add a fake start of params to the URI (eg: /%3fa=b/../).

Returns:

  • (Boolean)

    Whether to add a fake start of params to the URI (eg: /%3fa=b/../)



135
136
137
# File 'lib/metasploit/framework/login_scanner/http.rb', line 135

def evade_uri_fake_params_start
  @evade_uri_fake_params_start
end

#evade_uri_full_urlBoolean

Returns Whether to use the full URL for all HTTP requests.

Returns:

  • (Boolean)

    Whether to use the full URL for all HTTP requests



47
48
49
# File 'lib/metasploit/framework/login_scanner/http.rb', line 47

def evade_uri_full_url
  @evade_uri_full_url
end

#evade_uri_use_backslashesBoolean

Returns Whether to use back slashes instead of forward slashes in the uri.

Returns:

  • (Boolean)

    Whether to use back slashes instead of forward slashes in the uri



95
96
97
# File 'lib/metasploit/framework/login_scanner/http.rb', line 95

def evade_uri_use_backslashes
  @evade_uri_use_backslashes
end

#evade_version_random_invalidBoolean

Returns Whether to use a random invalid, HTTP version for request.

Returns:

  • (Boolean)

    Whether to use a random invalid, HTTP version for request



83
84
85
# File 'lib/metasploit/framework/login_scanner/http.rb', line 83

def evade_version_random_invalid
  @evade_version_random_invalid
end

#evade_version_random_validBoolean

Returns Whether to use a random, but valid, HTTP version for request.

Returns:

  • (Boolean)

    Whether to use a random, but valid, HTTP version for request



79
80
81
# File 'lib/metasploit/framework/login_scanner/http.rb', line 79

def evade_version_random_valid
  @evade_version_random_valid
end

#http_passwordString

Returns:

  • (String)


179
180
181
# File 'lib/metasploit/framework/login_scanner/http.rb', line 179

def http_password
  @http_password
end

#http_success_codesArray

Returns [Int] list of valid http response codes.

Returns:

  • (Array)
    Int

    list of valid http response codes



183
184
185
# File 'lib/metasploit/framework/login_scanner/http.rb', line 183

def http_success_codes
  @http_success_codes
end

#http_usernameString

Returns:

  • (String)


175
176
177
# File 'lib/metasploit/framework/login_scanner/http.rb', line 175

def http_username
  @http_username
end

#methodObject

Returns the value of attribute method.



31
32
33
# File 'lib/metasploit/framework/login_scanner/http.rb', line 31

def method
  @method
end

#ntlm_domainString

Returns The NTLM domain to use during authentication.

Returns:

  • (String)

    The NTLM domain to use during authentication



167
168
169
# File 'lib/metasploit/framework/login_scanner/http.rb', line 167

def ntlm_domain
  @ntlm_domain
end

#ntlm_send_lmBoolean

Returns Whether to always send the LANMAN response (except when NTLMv2_session is specified).

Returns:

  • (Boolean)

    Whether to always send the LANMAN response (except when NTLMv2_session is specified)



151
152
153
# File 'lib/metasploit/framework/login_scanner/http.rb', line 151

def ntlm_send_lm
  @ntlm_send_lm
end

#ntlm_send_ntlmBoolean

Returns Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses.

Returns:

  • (Boolean)

    Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses



155
156
157
# File 'lib/metasploit/framework/login_scanner/http.rb', line 155

def ntlm_send_ntlm
  @ntlm_send_ntlm
end

#ntlm_send_spnBoolean

Returns Whether to send an avp of type SPN in the NTLMv2 client blob.

Returns:

  • (Boolean)

    Whether to send an avp of type SPN in the NTLMv2 client blob.



159
160
161
# File 'lib/metasploit/framework/login_scanner/http.rb', line 159

def ntlm_send_spn
  @ntlm_send_spn
end

#ntlm_use_lm_keyBoolean

Returns Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent.

Returns:

  • (Boolean)

    Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent



163
164
165
# File 'lib/metasploit/framework/login_scanner/http.rb', line 163

def ntlm_use_lm_key
  @ntlm_use_lm_key
end

#ntlm_use_ntlmv2Boolean

Returns Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled.

Returns:

  • (Boolean)

    Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled



147
148
149
# File 'lib/metasploit/framework/login_scanner/http.rb', line 147

def ntlm_use_ntlmv2
  @ntlm_use_ntlmv2
end

#ntlm_use_ntlmv2_sessionBoolean

Returns Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session.

Returns:

  • (Boolean)

    Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session



143
144
145
# File 'lib/metasploit/framework/login_scanner/http.rb', line 143

def ntlm_use_ntlmv2_session
  @ntlm_use_ntlmv2_session
end

#uriString

Returns HTTP method, e.g. “GET”, “POST”.

Returns:

  • (String)

    HTTP method, e.g. “GET”, “POST”



27
28
29
# File 'lib/metasploit/framework/login_scanner/http.rb', line 27

def uri
  @uri
end

#user_agentString

Returns the User-Agent to use for the HTTP requests.

Returns:

  • (String)

    the User-Agent to use for the HTTP requests



35
36
37
# File 'lib/metasploit/framework/login_scanner/http.rb', line 35

def user_agent
  @user_agent
end

#vhostString

Returns the Virtual Host name for the target Web Server.

Returns:

  • (String)

    the Virtual Host name for the target Web Server



39
40
41
# File 'lib/metasploit/framework/login_scanner/http.rb', line 39

def vhost
  @vhost
end

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempt a single login with a single credential against the target.

Parameters:

  • credential (Credential)

    The credential object to attempt to login with.

Returns:

  • (Result)

    A Result object indicating success or failure



286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
# File 'lib/metasploit/framework/login_scanner/http.rb', line 286

def (credential)
  result_opts = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp'
  }

  if ssl
    result_opts[:service_name] = 'https'
  else
    result_opts[:service_name] = 'http'
  end

  begin
    response = send_request('credential'=>credential, 'uri'=>uri, 'method'=>method)
    if response && http_success_codes.include?(response.code)
      result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers)
    end
  rescue Rex::ConnectionError => e
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
  end

  Result.new(result_opts)
end

#check_setupObject



195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
# File 'lib/metasploit/framework/login_scanner/http.rb', line 195

def check_setup
  http_client = Rex::Proto::Http::Client.new(
    host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies, http_username, http_password
  )
  request = http_client.request_cgi(
    'uri' => uri,
    'method' => method
  )

  begin
    # Use _send_recv instead of send_recv to skip automatic
    # authentication
    response = http_client._send_recv(request)
  rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error
    return "Unable to connect to target"
  end

  if !(response && response.code == 401 && response.headers['WWW-Authenticate'])
    error_message = "No authentication required"
  else
    error_message = false
  end

  error_message
end

#send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass

Sends a HTTP request with Rex

Parameters:

  • opts (Hash)

    native support includes the following (also see Rex::Proto::Http::Request#request_cgi)

Options Hash (opts):

  • 'host' (String)

    The remote host

  • 'port' (Integer)

    The remote port

  • 'ssl' (Boolean)

    The SSL setting, TrueClass or FalseClass

  • 'proxies' (String)

    The proxies setting

  • 'credential' (Credential)

    A credential object

  • 'context' ('Hash')

    A context

Returns:

  • (Rex::Proto::Http::Response)

    The HTTP response

  • (NilClass)

    An error has occured while reading the response (see #Rex::Proto::Http::Client#read_response)

Raises:

  • (Rex::ConnectionError)

    One of these errors has occured: EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error



233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
# File 'lib/metasploit/framework/login_scanner/http.rb', line 233

def send_request(opts)
  rhost           = opts['host'] || host
  rport           = opts['rport'] || port
  cli_ssl         = opts['ssl'] || ssl
  cli_ssl_version = opts['ssl_version'] || ssl_version
  cli_proxies     = opts['proxies'] || proxies
  username        = opts['credential'] ? opts['credential'].public : http_username
  password        = opts['credential'] ? opts['credential'].private : http_password
  realm           = opts['credential'] ? opts['credential'].realm : nil
  context         = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module}

  res = nil
  cli = Rex::Proto::Http::Client.new(
    rhost,
    rport,
    context,
    cli_ssl,
    cli_ssl_version,
    cli_proxies,
    username,
    password
  )
  configure_http_client(cli)

  if realm
    cli.set_config('domain' => realm)
  end

  begin
    cli.connect
    req = cli.request_cgi(opts)
    # Authenticate by default
    res = if opts['authenticate'].nil? || opts['authenticate']
            cli.send_recv(req)
          else
            cli._send_recv(req)
          end
  rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
    raise Rex::ConnectionError, e.message
  ensure
    cli.close
  end

  res
end