Class: Metasploit::Framework::LoginScanner::HTTP

Inherits:

Object

• Object
• Metasploit::Framework::LoginScanner::HTTP

Includes:

Base, RexSocket

Defined in:

lib/metasploit/framework/login_scanner/http.rb

Overview

HTTP-specific login scanner.

Direct Known Subclasses

AdvantechWebAccess, Axis2, BavisionCameras, Buffalo, Caidao, ChefWebUI, CiscoFirepower, DirectAdmin, GitLab, Glassfish, IPBoard, Jenkins, Jupyter, ManageEngineDesktopCentral, MyBookLive, Nessus, OctopusDeploy, PhpMyAdmin, Smh, SymantecWebGateway, Tomcat, WinRM, WordpressMulticall, WordpressRPC, Zabbix

Constant Summary

DEFAULT_REALM =

nil

DEFAULT_PORT =

80

DEFAULT_SSL_PORT =

443

LIKELY_PORTS =

[ 80, 443, 8000, 8080 ]

LIKELY_SERVICE_NAMES =

[ 'http', 'https' ]

PRIVATE_TYPES =

[ :password ]

REALM_KEY =

Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Instance Attribute Summary

• #digest_auth_iis ⇒ Boolean

  Whether to conform to IIS digest authentication mode.

• #evade_header_folding ⇒ Boolean

  Whether to enable folding of HTTP headers.

• #evade_method_random_case ⇒ Boolean

  Whether to use random casing for the HTTP method.

• #evade_method_random_invalid ⇒ Boolean

  Whether to use a random invalid, HTTP method for request.

• #evade_method_random_valid ⇒ Boolean

  Whether to use a random, but valid, HTTP method for request.

• #evade_pad_fake_headers ⇒ Boolean

  Whether to insert random, fake headers into the HTTP request.

• #evade_pad_fake_headers_count ⇒ Integer

  How many fake headers to insert into the HTTP request.

• #evade_pad_get_params ⇒ Boolean

  Whether to insert random, fake query string variables into the request.

• #evade_pad_get_params_count ⇒ Integer

  How many fake query string variables to insert into the request.

• #evade_pad_method_uri_count ⇒ Integer

  How many whitespace characters to use between the method and uri.

• #evade_pad_method_uri_type ⇒ String

  What type of whitespace to use between the method and uri.

• #evade_pad_post_params ⇒ Boolean

  Whether to insert random, fake post variables into the request.

• #evade_pad_post_params_count ⇒ Integer

  How many fake post variables to insert into the request.

• #evade_pad_uri_version_count ⇒ Integer

  How many whitespace characters to use between the uri and version.

• #evade_pad_uri_version_type ⇒ String

  What type of whitespace to use between the uri and version.

• #evade_uri_dir_fake_relative ⇒ Boolean

  Whether to insert fake relative directories into the uri.

• #evade_uri_dir_self_reference ⇒ Boolean

  Whether to insert self-referential directories into the uri.

• #evade_uri_encode_mode ⇒ String

  The type of URI encoding to use.

• #evade_uri_fake_end ⇒ Boolean

  Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).

• #evade_uri_fake_params_start ⇒ Boolean

  Whether to add a fake start of params to the URI (eg: /%3fa=b/../).

• #evade_uri_full_url ⇒ Boolean

  Whether to use the full URL for all HTTP requests.

• #evade_uri_use_backslashes ⇒ Boolean

  Whether to use back slashes instead of forward slashes in the uri.

• #evade_version_random_invalid ⇒ Boolean

  Whether to use a random invalid, HTTP version for request.

• #evade_version_random_valid ⇒ Boolean

  Whether to use a random, but valid, HTTP version for request.

• #http_password ⇒ String
• #http_username ⇒ String
• #method ⇒ Object

  Returns the value of attribute method.

• #ntlm_domain ⇒ String

  The NTLM domain to use during authentication.

• #ntlm_send_lm ⇒ Boolean

  Whether to always send the LANMAN response (except when NTLMv2_session is specified).

• #ntlm_send_ntlm ⇒ Boolean

  Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses.

• #ntlm_send_spn ⇒ Boolean

  Whether to send an avp of type SPN in the NTLMv2 client blob.

• #ntlm_use_lm_key ⇒ Boolean

  Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent.

• #ntlm_use_ntlmv2 ⇒ Boolean

  Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled.

• #ntlm_use_ntlmv2_session ⇒ Boolean

  Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session.

• #uri ⇒ String

  HTTP method, e.g.

• #user_agent ⇒ String

  The User-Agent to use for the HTTP requests.

• #vhost ⇒ String

  The Virtual Host name for the target Web Server.

Instance Method Summary

• #attempt_login(credential) ⇒ Result

  Attempt a single login with a single credential against the target.

• #check_setup ⇒ Object
• #send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass

  Sends a HTTP request with Rex.

Instance Attribute Details

#digest_auth_iis ⇒ Boolean

Returns Whether to conform to IIS digest authentication mode.

Returns:

• (Boolean) —

  Whether to conform to IIS digest authentication mode.

# File 'lib/metasploit/framework/login_scanner/http.rb', line 162

def digest_auth_iis
  @digest_auth_iis
end

#evade_header_folding ⇒ Boolean

Returns Whether to enable folding of HTTP headers.

Returns:

• (Boolean) —

  Whether to enable folding of HTTP headers

# File 'lib/metasploit/framework/login_scanner/http.rb', line 130

def evade_header_folding
  @evade_header_folding
end

#evade_method_random_case ⇒ Boolean

Returns Whether to use random casing for the HTTP method.

Returns:

• (Boolean) —

  Whether to use random casing for the HTTP method

# File 'lib/metasploit/framework/login_scanner/http.rb', line 74

def evade_method_random_case
  @evade_method_random_case
end

#evade_method_random_invalid ⇒ Boolean

Returns Whether to use a random invalid, HTTP method for request.

Returns:

• (Boolean) —

  Whether to use a random invalid, HTTP method for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 70

def evade_method_random_invalid
  @evade_method_random_invalid
end

#evade_method_random_valid ⇒ Boolean

Returns Whether to use a random, but valid, HTTP method for request.

Returns:

• (Boolean) —

  Whether to use a random, but valid, HTTP method for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 66

def evade_method_random_valid
  @evade_method_random_valid
end

#evade_pad_fake_headers ⇒ Boolean

Returns Whether to insert random, fake headers into the HTTP request.

Returns:

• (Boolean) —

  Whether to insert random, fake headers into the HTTP request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 98

def evade_pad_fake_headers
  @evade_pad_fake_headers
end

#evade_pad_fake_headers_count ⇒ Integer

Returns How many fake headers to insert into the HTTP request.

Returns:

• (Integer) —

  How many fake headers to insert into the HTTP request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 102

def evade_pad_fake_headers_count
  @evade_pad_fake_headers_count
end

#evade_pad_get_params ⇒ Boolean

Returns Whether to insert random, fake query string variables into the request.

Returns:

• (Boolean) —

  Whether to insert random, fake query string variables into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 106

def evade_pad_get_params
  @evade_pad_get_params
end

#evade_pad_get_params_count ⇒ Integer

Returns How many fake query string variables to insert into the request.

Returns:

• (Integer) —

  How many fake query string variables to insert into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 110

def evade_pad_get_params_count
  @evade_pad_get_params_count
end

#evade_pad_method_uri_count ⇒ Integer

Returns How many whitespace characters to use between the method and uri.

Returns:

• (Integer) —

  How many whitespace characters to use between the method and uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 50

def evade_pad_method_uri_count
  @evade_pad_method_uri_count
end

#evade_pad_method_uri_type ⇒ String

Returns What type of whitespace to use between the method and uri.

Returns:

• (String) —

  What type of whitespace to use between the method and uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 58

def evade_pad_method_uri_type
  @evade_pad_method_uri_type
end

#evade_pad_post_params ⇒ Boolean

Returns Whether to insert random, fake post variables into the request.

Returns:

• (Boolean) —

  Whether to insert random, fake post variables into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 114

def evade_pad_post_params
  @evade_pad_post_params
end

#evade_pad_post_params_count ⇒ Integer

Returns How many fake post variables to insert into the request.

Returns:

• (Integer) —

  How many fake post variables to insert into the request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 118

def evade_pad_post_params_count
  @evade_pad_post_params_count
end

#evade_pad_uri_version_count ⇒ Integer

Returns How many whitespace characters to use between the uri and version.

Returns:

• (Integer) —

  How many whitespace characters to use between the uri and version

# File 'lib/metasploit/framework/login_scanner/http.rb', line 54

def evade_pad_uri_version_count
  @evade_pad_uri_version_count
end

#evade_pad_uri_version_type ⇒ String

Returns What type of whitespace to use between the uri and version.

Returns:

• (String) —

  What type of whitespace to use between the uri and version

# File 'lib/metasploit/framework/login_scanner/http.rb', line 62

def evade_pad_uri_version_type
  @evade_pad_uri_version_type
end

#evade_uri_dir_fake_relative ⇒ Boolean

Returns Whether to insert fake relative directories into the uri.

Returns:

• (Boolean) —

  Whether to insert fake relative directories into the uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 90

def evade_uri_dir_fake_relative
  @evade_uri_dir_fake_relative
end

#evade_uri_dir_self_reference ⇒ Boolean

Returns Whether to insert self-referential directories into the uri.

Returns:

• (Boolean) —

  Whether to insert self-referential directories into the uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 86

def evade_uri_dir_self_reference
  @evade_uri_dir_self_reference
end

#evade_uri_encode_mode ⇒ String

Returns The type of URI encoding to use.

Returns:

• (String) —

  The type of URI encoding to use

# File 'lib/metasploit/framework/login_scanner/http.rb', line 42

def evade_uri_encode_mode
  @evade_uri_encode_mode
end

#evade_uri_fake_end ⇒ Boolean

Returns Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).

Returns:

• (Boolean) —

  Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 122

def evade_uri_fake_end
  @evade_uri_fake_end
end

#evade_uri_fake_params_start ⇒ Boolean

Returns Whether to add a fake start of params to the URI (eg: /%3fa=b/../).

Returns:

• (Boolean) —

  Whether to add a fake start of params to the URI (eg: /%3fa=b/../)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 126

def evade_uri_fake_params_start
  @evade_uri_fake_params_start
end

#evade_uri_full_url ⇒ Boolean

Returns Whether to use the full URL for all HTTP requests.

Returns:

• (Boolean) —

  Whether to use the full URL for all HTTP requests

# File 'lib/metasploit/framework/login_scanner/http.rb', line 46

def evade_uri_full_url
  @evade_uri_full_url
end

#evade_uri_use_backslashes ⇒ Boolean

Returns Whether to use back slashes instead of forward slashes in the uri.

Returns:

• (Boolean) —

  Whether to use back slashes instead of forward slashes in the uri

# File 'lib/metasploit/framework/login_scanner/http.rb', line 94

def evade_uri_use_backslashes
  @evade_uri_use_backslashes
end

#evade_version_random_invalid ⇒ Boolean

Returns Whether to use a random invalid, HTTP version for request.

Returns:

• (Boolean) —

  Whether to use a random invalid, HTTP version for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 82

def evade_version_random_invalid
  @evade_version_random_invalid
end

#evade_version_random_valid ⇒ Boolean

Returns Whether to use a random, but valid, HTTP version for request.

Returns:

• (Boolean) —

  Whether to use a random, but valid, HTTP version for request

# File 'lib/metasploit/framework/login_scanner/http.rb', line 78

def evade_version_random_valid
  @evade_version_random_valid
end

#http_password ⇒ String

Returns:

• (String)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 170

def http_password
  @http_password
end

#http_username ⇒ String

Returns:

• (String)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 166

def http_username
  @http_username
end

#method ⇒ Object

Returns the value of attribute method.

# File 'lib/metasploit/framework/login_scanner/http.rb', line 30

def method
  @method
end

#ntlm_domain ⇒ String

Returns The NTLM domain to use during authentication.

Returns:

• (String) —

  The NTLM domain to use during authentication

# File 'lib/metasploit/framework/login_scanner/http.rb', line 158

def ntlm_domain
  @ntlm_domain
end

#ntlm_send_lm ⇒ Boolean

Returns Whether to always send the LANMAN response (except when NTLMv2_session is specified).

Returns:

• (Boolean) —

  Whether to always send the LANMAN response (except when NTLMv2_session is specified)

# File 'lib/metasploit/framework/login_scanner/http.rb', line 142

def ntlm_send_lm
  @ntlm_send_lm
end

#ntlm_send_ntlm ⇒ Boolean

Returns Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses.

Returns:

• (Boolean) —

  Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses

# File 'lib/metasploit/framework/login_scanner/http.rb', line 146

def ntlm_send_ntlm
  @ntlm_send_ntlm
end

#ntlm_send_spn ⇒ Boolean

Returns Whether to send an avp of type SPN in the NTLMv2 client blob.

Returns:

• (Boolean) —

  Whether to send an avp of type SPN in the NTLMv2 client blob.

# File 'lib/metasploit/framework/login_scanner/http.rb', line 150

def ntlm_send_spn
  @ntlm_send_spn
end

#ntlm_use_lm_key ⇒ Boolean

Returns Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent.

Returns:

• (Boolean) —

  Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent

# File 'lib/metasploit/framework/login_scanner/http.rb', line 154

def ntlm_use_lm_key
  @ntlm_use_lm_key
end

#ntlm_use_ntlmv2 ⇒ Boolean

Returns Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled.

Returns:

• (Boolean) —

  Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled

# File 'lib/metasploit/framework/login_scanner/http.rb', line 138

def ntlm_use_ntlmv2
  @ntlm_use_ntlmv2
end

#ntlm_use_ntlmv2_session ⇒ Boolean

Returns Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session.

Returns:

• (Boolean) —

  Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session

# File 'lib/metasploit/framework/login_scanner/http.rb', line 134

def ntlm_use_ntlmv2_session
  @ntlm_use_ntlmv2_session
end

#uri ⇒ String

Returns HTTP method, e.g. “GET”, “POST”.

Returns:

• (String) —

  HTTP method, e.g. “GET”, “POST”

# File 'lib/metasploit/framework/login_scanner/http.rb', line 26

def uri
  @uri
end

#user_agent ⇒ String

Returns the User-Agent to use for the HTTP requests.

Returns:

• (String) —

  the User-Agent to use for the HTTP requests

# File 'lib/metasploit/framework/login_scanner/http.rb', line 34

def user_agent
  @user_agent
end

#vhost ⇒ String

Returns the Virtual Host name for the target Web Server.

Returns:

• (String) —

  the Virtual Host name for the target Web Server

# File 'lib/metasploit/framework/login_scanner/http.rb', line 38

def vhost
  @vhost
end

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempt a single login with a single credential against the target.

Parameters:

• credential (Credential) —

  The credential object to attempt to login with.

Returns:

• (Result) —

  A Result object indicating success or failure

# File 'lib/metasploit/framework/login_scanner/http.rb', line 271

def attempt_login(credential)
  result_opts = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp'
  }

  if ssl
    result_opts[:service_name] = 'https'
  else
    result_opts[:service_name] = 'http'
  end

  begin
    response = send_request('credential'=>credential, 'uri'=>uri, 'method'=>method)
    if response && response.code == 200
      result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers)
    end
  rescue Rex::ConnectionError => e
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
  end

  Result.new(result_opts)
end

#check_setup ⇒ Object

# File 'lib/metasploit/framework/login_scanner/http.rb', line 180

def check_setup
  http_client = Rex::Proto::Http::Client.new(
    host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies, http_username, http_password
  )
  request = http_client.request_cgi(
    'uri' => uri,
    'method' => method
  )

  begin
    # Use _send_recv instead of send_recv to skip automatic
    # authentication
    response = http_client._send_recv(request)
  rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error
    return "Unable to connect to target"
  end

  if !(response && response.code == 401 && response.headers['WWW-Authenticate'])
    error_message = "No authentication required"
  else
    error_message = false
  end

  error_message
end

#send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass

Sends a HTTP request with Rex

Parameters:

• opts (Hash) —

  native support includes the following (also see Rex::Proto::Http::Request#request_cgi)

Options Hash (opts):

• 'host' (String) —

  The remote host

• 'port' (Integer) —

  The remote port

• 'ssl' (Boolean) —

  The SSL setting, TrueClass or FalseClass

• 'proxies' (String) —

  The proxies setting

• 'credential' (Credential) —

  A credential object

• 'context' ('Hash') —

  A context

Returns:

• (Rex::Proto::Http::Response) —

  The HTTP response

• (NilClass) —

  An error has occured while reading the response (see #Rex::Proto::Http::Client#read_response)

Raises:

• (Rex::ConnectionError) —

  One of these errors has occured: EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error

# File 'lib/metasploit/framework/login_scanner/http.rb', line 218

def send_request(opts)
  rhost           = opts['host'] || host
  rport           = opts['rport'] || port
  cli_ssl         = opts['ssl'] || ssl
  cli_ssl_version = opts['ssl_version'] || ssl_version
  cli_proxies     = opts['proxies'] || proxies
  username        = opts['credential'] ? opts['credential'].public : http_username
  password        = opts['credential'] ? opts['credential'].private : http_password
  realm           = opts['credential'] ? opts['credential'].realm : nil
  context         = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module}

  res = nil
  cli = Rex::Proto::Http::Client.new(
    rhost,
    rport,
    context,
    cli_ssl,
    cli_ssl_version,
    cli_proxies,
    username,
    password
  )
  configure_http_client(cli)

  if realm
    cli.set_config('domain' => realm)
  end

  begin
    cli.connect
    req = cli.request_cgi(opts)
    # Authenticate by default
    res = if opts['authenticate'].nil? || opts['authenticate']
            cli.send_recv(req)
          else
            cli._send_recv(req)
          end
  rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
    raise Rex::ConnectionError, e.message
  ensure
    cli.close
  end

  res
end