Class: Metasploit::Framework::LoginScanner::PfSense

Inherits:
HTTP
  • Object
show all
Defined in:
lib/metasploit/framework/login_scanner/pfsense.rb

Overview

This is the LoginScanner class for dealing with Netgate pfSense instances. It is responsible for taking a single target, and a list of credentials and attempting them. It then saves the results.

Constant Summary collapse

LOGIN_ENDPOINT = 
'index.php'

Constants inherited from HTTP

HTTP::AUTHORIZATION_HEADER, HTTP::DEFAULT_HTTP_NOT_AUTHED_CODES, HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_PORT, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::PRIVATE_TYPES, HTTP::REALM_KEY

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary collapse

Methods inherited from HTTP

#authentication_required?, #send_request

Instance Method Details

#attempt_login(credential) ⇒ Object 



75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
 
# File 'lib/metasploit/framework/login_scanner/pfsense.rb', line 75

def (credential)
  result_options = {
    credential:   credential,
    host:         @host,
    port:         @port,
    protocol:     'tcp',
    service_name: 'pfsense'
  }

  # Each login needs its own csrf magic tokens
  csrf_magic = query_csrf_magic

  if csrf_magic[:status] != :success
    result_options.merge!(status: ::Metasploit::Model::Login::Status::UNTRIED, proof: csrf_magic[:error])
    return Result.new(result_options)
  end

   = (credential.public, credential.private, csrf_magic[:result])

  if [:result].nil?
    result_options.merge!(status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to pfSense')
    return Result.new(result_options)
  end

  # 200 is incorrect result
  if [:result].code == 200 || [:result].body.include?('Username or Password incorrect')
    result_options.merge!(status: ::Metasploit::Model::Login::Status::INCORRECT, proof: 'Username or Password incorrect')
    return Result.new(result_options)
  end

   = [:result].code == 302 ? ::Metasploit::Model::Login::Status::SUCCESSFUL : ::Metasploit::Model::Login::Status::INCORRECT
  result_options.merge!(status: , proof: [:result])
  Result.new(result_options)

rescue ::Rex::ConnectionError => _e
  result_options.merge!(status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to pfSense')
  return Result.new(result_options)
end

#check_setupBoolean, String

Checks if the target is pfSense. The login module should call this.

Returns:

  • (Boolean, String)

    FalseClass if target is pfSense, otherwise String



16
17
18
19
20
21
22
23
24
25
26
27
28
 
# File 'lib/metasploit/framework/login_scanner/pfsense.rb', line 16

def check_setup
  request_params = {
    'method' => 'GET',
    'uri' => normalize_uri(@uri.to_s, LOGIN_ENDPOINT)
  }
  res = send_request(request_params)

  if res&.code == 200 && res.body&.include?('Login to pfSense')
    return false
  end

  "Unable to locate \"Login to pfSense\" in body. (Is this really pfSense?)"
end

#query_csrf_magicObject 



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
# File 'lib/metasploit/framework/login_scanner/pfsense.rb', line 30

def query_csrf_magic
  request_params = {
    'method' => 'GET',
    'uri' => normalize_uri(@uri.to_s, LOGIN_ENDPOINT)
  }

  res = send_request(request_params)

  if res.nil?
    return { status: :failure, error: 'Did not receive response to a GET request' }
  end

  if res.code != 200
    return { status: :failure, error: "Unexpected return code from GET request - #{res.code}" }
  end

  # CSRF Magic Token and Magic Value are inlined as JavaScript in a <script> tag.
  # It can also be extracted from the Nokogiri::HTML(res.body).search('form') form.
  csrf_magic_token, csrf_magic_name = res.body.match(/var csrfMagicToken = "(?<magic_token>.*)";var csrfMagicName = "(?<magic_name>.*)";/).captures
  if csrf_magic_token.nil? || csrf_magic_name.nil?
    return { status: :failure, error: "Could not find magic CSRF values. csrf_magic_token: '#{csrf_magic_token}', csrf_magic_name: '#{csrf_magic_name}'" }
  end

  { status: :success, result: { csrf_magic_token: csrf_magic_token, csrf_magic_name: csrf_magic_name } }
end

#try_login(username, password, csrf_magic) ⇒ Object

Each individual login needs their own CSRF magic header. This header comes from a GET request to the index.php page



58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
# File 'lib/metasploit/framework/login_scanner/pfsense.rb', line 58

def (username, password, csrf_magic)
  request_params =
    {
      'method' => 'POST',
      'uri' => normalize_uri(@uri.to_s, LOGIN_ENDPOINT),
      'keep_cookies' => true,
      'vars_post' => {
        'usernamefld' => username,
        'passwordfld' => password,
        csrf_magic[:csrf_magic_name] => csrf_magic[:csrf_magic_token],
        'login' => ::URI.encode_www_form_component('Sign In')
      }
    }

  { status: :success, result: send_request(request_params) }
end