Class: Metasploit::Framework::LoginScanner::SonicWall

Inherits:

HTTP

• Object
• HTTP
• Metasploit::Framework::LoginScanner::SonicWall

Defined in:

lib/metasploit/framework/login_scanner/sonicwall.rb

Overview

SonicWall Login Scanner supporting

• User Login

• Admin Login

Constant Summary

LIKELY_PORTS =

self.superclass::LIKELY_PORTS + [4433]

LIKELY_SERVICE_NAMES =

self.superclass::LIKELY_SERVICE_NAMES + [
  'SonicWall Network Security'
]

PRIVATE_TYPES =

[:password]

REALM_KEY =

nil

Constants inherited from HTTP

HTTP::AUTHORIZATION_HEADER, HTTP::DEFAULT_HTTP_NOT_AUTHED_CODES, HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_PORT, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT

Instance Attribute Summary

• #domain ⇒ Object

  Returns the value of attribute domain.

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary

• #attempt_login(credential) ⇒ Object
• #auth_details_req ⇒ Object
• #auth_req(header) ⇒ Object
• #check_setup ⇒ Object
• #do_login(username, password, depth) ⇒ Object

  The login procedure is two-step procedure for SonicWall due to HTTP Digest Authentication.

• #get_auth_details(username, password) ⇒ Object
• #get_resp_msg(msg) ⇒ Object
• #req_params_base ⇒ Object
• #try_login(header) ⇒ Object

Methods inherited from HTTP

#authentication_required?, #send_request

Instance Attribute Details

#domain ⇒ Object

Returns the value of attribute domain.

# File 'lib/metasploit/framework/login_scanner/sonicwall.rb', line 18

def domain
  @domain
end

Instance Method Details

#attempt_login(credential) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/sonicwall.rb', line 139

def attempt_login(credential)
  result_options = {
    credential: credential,
    host: @host,
    port: @port,
    protocol: 'tcp',
    service_name: 'sonicwall'
  }
  result_options.merge!(do_login(credential.public, credential.private, 1))
  Result.new(result_options)
end

#auth_details_req ⇒ Object

# File 'lib/metasploit/framework/login_scanner/sonicwall.rb', line 30

def auth_details_req
  params = req_params_base

  #
  # Admin and SSLVPN user login procedure differs only in usage of domain field in JSON data
  #
  params.merge!({
    'data' => JSON.pretty_generate(@domain.blank? ? {
      'override' => false,
      'snwl' => true
    } : { 'domain' => @domain, 'override' => false, 'snwl' => true })
  })
  return params
end

#auth_req(header) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/sonicwall.rb', line 45

def auth_req(header)
  params = req_params_base

  params.merge!({
    'headers' =>
    {
      'Authorization' => header.join(', ')
    }
  })

  params.merge!({
    'data' => JSON.pretty_generate(@domain.empty? ? {
      'override' => false,
      'snwl' => true
    } : { 'domain' => @domain, 'override' => false, 'snwl' => true })
  })

  return params
end

#check_setup ⇒ Object

# File 'lib/metasploit/framework/login_scanner/sonicwall.rb', line 77

def check_setup
  request_params = {
    'method' => 'GET',
    'uri' => normalize_uri('/sonicui/7/login/')
  }
  res = send_request(request_params)
  if res&.code == 200 && res.body&.include?('SonicWall')
    return false
  end

  'Unable to locate "SonicWall" in body. (Is this really SonicWall?)'
end

#do_login(username, password, depth) ⇒ Object

The login procedure is two-step procedure for SonicWall due to HTTP Digest Authentication. In the first request, client receives data,cryptographic hashes and algorithm selection from server. It should calculate final response hash from username, password and additional data received from server. The second request contains all this information.

# File 'lib/metasploit/framework/login_scanner/sonicwall.rb', line 93

def do_login(username, password, depth)
  return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Waiting too long in lockout' } if depth >= 2

  #-- get authentication details from first request
  begin
    res = get_auth_details(username, password)
  rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError => e
    return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e }
  end

  return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Invalid response' } unless res
  return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Failed to receive a authentication details' } unless res&.headers && res.headers.key?('X-SNWL-Authenticate')

  res.headers['X-SNWL-Authenticate'] =~ /Digest (.*)/

  parameters = {}
  ::Regexp.last_match(1).split(/,[[:space:]]*/).each do |p|
    k, v = p.split('=', 2)
    parameters[k] = v.gsub('"', '')
  end
  return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Incorrect authentication header' } if parameters.empty?

  digest_auth = Rex::Proto::Http::AuthDigest.new
  auth_header = digest_auth.digest(username, password, 'POST', '/api/sonicos/auth', parameters)
  return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Could not calculate hash' } unless auth_header

  #-- send the actual request with all hashes and information

  res = try_login(auth_header)

  return { status: ::Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.to_s } if res&.code == 200


  msg_json = res.get_json_document

  return { status: ::Metasploit::Model::Login::Status::INCORRECT, proof: res.to_s } unless msg_json
  msg = get_resp_msg(msg_json)

  if msg == 'User is locked out'
    sleep(5 * 60)
    return do_login(username, password, depth + 1)
  end

  return { status: ::Metasploit::Model::Login::Status::INCORRECT, proof: msg }
end

#get_auth_details(username, password) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/sonicwall.rb', line 65

def get_auth_details(username, password)
  send_request(auth_details_req)
end

#get_resp_msg(msg) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/sonicwall.rb', line 73

def get_resp_msg(msg)
  msg.dig('status', 'info', 0, 'message')
end

#req_params_base ⇒ Object

# File 'lib/metasploit/framework/login_scanner/sonicwall.rb', line 20

def req_params_base
  {
    'method' => 'POST',
    'uri' => normalize_uri('/api/sonicos/auth'),
    'ctype' => 'application/json',
    # Force SSL as the application uses non-standard TCP port for HTTPS - 4433
    'ssl' => true
  }
end

#try_login(header) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/sonicwall.rb', line 69

def try_login(header)
  send_request(auth_req(header))
end