Class: Metasploit::Framework::LoginScanner::HTTP
- Inherits:
-
Object
- Object
- Metasploit::Framework::LoginScanner::HTTP
- Defined in:
- lib/metasploit/framework/login_scanner/http.rb
Overview
HTTP-specific login scanner.
Direct Known Subclasses
AdvantechWebAccess, Axis2, BavisionCameras, Buffalo, Caidao, ChefWebUI, CiscoFirepower, DirectAdmin, GitLab, Glassfish, IPBoard, Jenkins, Jupyter, ManageEngineDesktopCentral, MyBookLive, Nessus, OctopusDeploy, PhpMyAdmin, Smh, SoftingSIS, SymantecWebGateway, SyncoveryFileSyncBackup, Tomcat, WinRM, WordpressMulticall, WordpressRPC, WowzaStreamingEngineManager, Zabbix
Constant Summary collapse
- DEFAULT_REALM =
nil
- DEFAULT_PORT =
80
- DEFAULT_SSL_PORT =
443
- DEFAULT_HTTP_SUCCESS_CODES =
[ 200, 201 ].append(*(300..309))
- LIKELY_PORTS =
[ 80, 443, 8000, 8080 ]
- LIKELY_SERVICE_NAMES =
[ 'http', 'https' ]
- PRIVATE_TYPES =
[ :password ]
- REALM_KEY =
Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
Instance Attribute Summary collapse
-
#digest_auth_iis ⇒ Boolean
Whether to conform to IIS digest authentication mode.
-
#evade_header_folding ⇒ Boolean
Whether to enable folding of HTTP headers.
-
#evade_method_random_case ⇒ Boolean
Whether to use random casing for the HTTP method.
-
#evade_method_random_invalid ⇒ Boolean
Whether to use a random invalid, HTTP method for request.
-
#evade_method_random_valid ⇒ Boolean
Whether to use a random, but valid, HTTP method for request.
-
#evade_pad_fake_headers ⇒ Boolean
Whether to insert random, fake headers into the HTTP request.
-
#evade_pad_fake_headers_count ⇒ Integer
How many fake headers to insert into the HTTP request.
-
#evade_pad_get_params ⇒ Boolean
Whether to insert random, fake query string variables into the request.
-
#evade_pad_get_params_count ⇒ Integer
How many fake query string variables to insert into the request.
-
#evade_pad_method_uri_count ⇒ Integer
How many whitespace characters to use between the method and uri.
-
#evade_pad_method_uri_type ⇒ String
What type of whitespace to use between the method and uri.
-
#evade_pad_post_params ⇒ Boolean
Whether to insert random, fake post variables into the request.
-
#evade_pad_post_params_count ⇒ Integer
How many fake post variables to insert into the request.
-
#evade_pad_uri_version_count ⇒ Integer
How many whitespace characters to use between the uri and version.
-
#evade_pad_uri_version_type ⇒ String
What type of whitespace to use between the uri and version.
-
#evade_shuffle_get_params ⇒ Boolean
Randomize order of GET parameters.
-
#evade_shuffle_post_params ⇒ Boolean
Randomize order of POST parameters.
-
#evade_uri_dir_fake_relative ⇒ Boolean
Whether to insert fake relative directories into the uri.
-
#evade_uri_dir_self_reference ⇒ Boolean
Whether to insert self-referential directories into the uri.
-
#evade_uri_encode_mode ⇒ String
The type of URI encoding to use.
-
#evade_uri_fake_end ⇒ Boolean
Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).
-
#evade_uri_fake_params_start ⇒ Boolean
Whether to add a fake start of params to the URI (eg: /%3fa=b/../).
-
#evade_uri_full_url ⇒ Boolean
Whether to use the full URL for all HTTP requests.
-
#evade_uri_use_backslashes ⇒ Boolean
Whether to use back slashes instead of forward slashes in the uri.
-
#evade_version_random_invalid ⇒ Boolean
Whether to use a random invalid, HTTP version for request.
-
#evade_version_random_valid ⇒ Boolean
Whether to use a random, but valid, HTTP version for request.
- #http_password ⇒ String
-
#http_success_codes ⇒ Array
- Int
-
list of valid http response codes.
- #http_username ⇒ String
-
#keep_connection_alive ⇒ Boolean
Whether to keep the connection open after a successful login.
-
#kerberos_authenticator_factory ⇒ Func<username, password, realm> : Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP
A factory method for creating a kerberos authenticator.
-
#method ⇒ Object
Returns the value of attribute method.
-
#ntlm_domain ⇒ String
The NTLM domain to use during authentication.
-
#ntlm_send_lm ⇒ Boolean
Whether to always send the LANMAN response (except when NTLMv2_session is specified).
-
#ntlm_send_ntlm ⇒ Boolean
Whether to activate the ‘Negotiate NTLM key’ flag, indicating the use of NTLM responses.
-
#ntlm_send_spn ⇒ Boolean
Whether to send an avp of type SPN in the NTLMv2 client blob.
-
#ntlm_use_lm_key ⇒ Boolean
Activate the ‘Negotiate Lan Manager Key’ flag, using the LM key when the LM response is sent.
-
#ntlm_use_ntlmv2 ⇒ Boolean
Whether to use NTLMv2 instead of NTLM2_session when ‘Negotiate NTLM2’ is enabled.
-
#ntlm_use_ntlmv2_session ⇒ Boolean
Whether to activate the ‘Negotiate NTLM2 key’ flag, forcing the use of a NTLMv2_session.
-
#uri ⇒ String
HTTP method, e.g.
-
#user_agent ⇒ String
The User-Agent to use for the HTTP requests.
-
#vhost ⇒ String
The Virtual Host name for the target Web Server.
Instance Method Summary collapse
-
#attempt_login(credential) ⇒ Result
Attempt a single login with a single credential against the target.
- #check_setup ⇒ Object
-
#send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass
Sends a HTTP request with Rex.
Instance Attribute Details
#digest_auth_iis ⇒ Boolean
Returns Whether to conform to IIS digest authentication mode.
171 172 173 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 171 def digest_auth_iis @digest_auth_iis end |
#evade_header_folding ⇒ Boolean
Returns Whether to enable folding of HTTP headers.
139 140 141 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 139 def evade_header_folding @evade_header_folding end |
#evade_method_random_case ⇒ Boolean
Returns Whether to use random casing for the HTTP method.
75 76 77 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 75 def evade_method_random_case @evade_method_random_case end |
#evade_method_random_invalid ⇒ Boolean
Returns Whether to use a random invalid, HTTP method for request.
71 72 73 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 71 def evade_method_random_invalid @evade_method_random_invalid end |
#evade_method_random_valid ⇒ Boolean
Returns Whether to use a random, but valid, HTTP method for request.
67 68 69 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 67 def evade_method_random_valid @evade_method_random_valid end |
#evade_pad_fake_headers ⇒ Boolean
Returns Whether to insert random, fake headers into the HTTP request.
99 100 101 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 99 def evade_pad_fake_headers @evade_pad_fake_headers end |
#evade_pad_fake_headers_count ⇒ Integer
Returns How many fake headers to insert into the HTTP request.
103 104 105 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 103 def evade_pad_fake_headers_count @evade_pad_fake_headers_count end |
#evade_pad_get_params ⇒ Boolean
Returns Whether to insert random, fake query string variables into the request.
107 108 109 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 107 def evade_pad_get_params @evade_pad_get_params end |
#evade_pad_get_params_count ⇒ Integer
Returns How many fake query string variables to insert into the request.
111 112 113 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 111 def evade_pad_get_params_count @evade_pad_get_params_count end |
#evade_pad_method_uri_count ⇒ Integer
Returns How many whitespace characters to use between the method and uri.
51 52 53 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 51 def evade_pad_method_uri_count @evade_pad_method_uri_count end |
#evade_pad_method_uri_type ⇒ String
Returns What type of whitespace to use between the method and uri.
59 60 61 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 59 def evade_pad_method_uri_type @evade_pad_method_uri_type end |
#evade_pad_post_params ⇒ Boolean
Returns Whether to insert random, fake post variables into the request.
115 116 117 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 115 def evade_pad_post_params @evade_pad_post_params end |
#evade_pad_post_params_count ⇒ Integer
Returns How many fake post variables to insert into the request.
119 120 121 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 119 def evade_pad_post_params_count @evade_pad_post_params_count end |
#evade_pad_uri_version_count ⇒ Integer
Returns How many whitespace characters to use between the uri and version.
55 56 57 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 55 def evade_pad_uri_version_count @evade_pad_uri_version_count end |
#evade_pad_uri_version_type ⇒ String
Returns What type of whitespace to use between the uri and version.
63 64 65 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 63 def evade_pad_uri_version_type @evade_pad_uri_version_type end |
#evade_shuffle_get_params ⇒ Boolean
Returns Randomize order of GET parameters.
123 124 125 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 123 def evade_shuffle_get_params @evade_shuffle_get_params end |
#evade_shuffle_post_params ⇒ Boolean
Returns Randomize order of POST parameters.
127 128 129 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 127 def evade_shuffle_post_params @evade_shuffle_post_params end |
#evade_uri_dir_fake_relative ⇒ Boolean
Returns Whether to insert fake relative directories into the uri.
91 92 93 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 91 def evade_uri_dir_fake_relative @evade_uri_dir_fake_relative end |
#evade_uri_dir_self_reference ⇒ Boolean
Returns Whether to insert self-referential directories into the uri.
87 88 89 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 87 def evade_uri_dir_self_reference @evade_uri_dir_self_reference end |
#evade_uri_encode_mode ⇒ String
Returns The type of URI encoding to use.
43 44 45 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 43 def evade_uri_encode_mode @evade_uri_encode_mode end |
#evade_uri_fake_end ⇒ Boolean
Returns Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).
131 132 133 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 131 def evade_uri_fake_end @evade_uri_fake_end end |
#evade_uri_fake_params_start ⇒ Boolean
Returns Whether to add a fake start of params to the URI (eg: /%3fa=b/../).
135 136 137 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 135 def evade_uri_fake_params_start @evade_uri_fake_params_start end |
#evade_uri_full_url ⇒ Boolean
Returns Whether to use the full URL for all HTTP requests.
47 48 49 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 47 def evade_uri_full_url @evade_uri_full_url end |
#evade_uri_use_backslashes ⇒ Boolean
Returns Whether to use back slashes instead of forward slashes in the uri.
95 96 97 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 95 def evade_uri_use_backslashes @evade_uri_use_backslashes end |
#evade_version_random_invalid ⇒ Boolean
Returns Whether to use a random invalid, HTTP version for request.
83 84 85 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 83 def evade_version_random_invalid @evade_version_random_invalid end |
#evade_version_random_valid ⇒ Boolean
Returns Whether to use a random, but valid, HTTP version for request.
79 80 81 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 79 def evade_version_random_valid @evade_version_random_valid end |
#http_password ⇒ String
179 180 181 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 179 def http_password @http_password end |
#http_success_codes ⇒ Array
Returns [Int] list of valid http response codes.
191 192 193 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 191 def http_success_codes @http_success_codes end |
#http_username ⇒ String
175 176 177 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 175 def http_username @http_username end |
#keep_connection_alive ⇒ Boolean
Returns Whether to keep the connection open after a successful login.
187 188 189 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 187 def keep_connection_alive @keep_connection_alive end |
#kerberos_authenticator_factory ⇒ Func<username, password, realm> : Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP
Returns A factory method for creating a kerberos authenticator.
183 184 185 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 183 def kerberos_authenticator_factory @kerberos_authenticator_factory end |
#method ⇒ Object
Returns the value of attribute method.
31 32 33 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 31 def method @method end |
#ntlm_domain ⇒ String
Returns The NTLM domain to use during authentication.
167 168 169 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 167 def ntlm_domain @ntlm_domain end |
#ntlm_send_lm ⇒ Boolean
Returns Whether to always send the LANMAN response (except when NTLMv2_session is specified).
151 152 153 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 151 def ntlm_send_lm @ntlm_send_lm end |
#ntlm_send_ntlm ⇒ Boolean
Returns Whether to activate the ‘Negotiate NTLM key’ flag, indicating the use of NTLM responses.
155 156 157 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 155 def ntlm_send_ntlm @ntlm_send_ntlm end |
#ntlm_send_spn ⇒ Boolean
Returns Whether to send an avp of type SPN in the NTLMv2 client blob.
159 160 161 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 159 def ntlm_send_spn @ntlm_send_spn end |
#ntlm_use_lm_key ⇒ Boolean
Returns Activate the ‘Negotiate Lan Manager Key’ flag, using the LM key when the LM response is sent.
163 164 165 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 163 def ntlm_use_lm_key @ntlm_use_lm_key end |
#ntlm_use_ntlmv2 ⇒ Boolean
Returns Whether to use NTLMv2 instead of NTLM2_session when ‘Negotiate NTLM2’ is enabled.
147 148 149 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 147 def ntlm_use_ntlmv2 @ntlm_use_ntlmv2 end |
#ntlm_use_ntlmv2_session ⇒ Boolean
Returns Whether to activate the ‘Negotiate NTLM2 key’ flag, forcing the use of a NTLMv2_session.
143 144 145 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 143 def ntlm_use_ntlmv2_session @ntlm_use_ntlmv2_session end |
#uri ⇒ String
Returns HTTP method, e.g. “GET”, “POST”.
27 28 29 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 27 def uri @uri end |
#user_agent ⇒ String
Returns the User-Agent to use for the HTTP requests.
35 36 37 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 35 def user_agent @user_agent end |
#vhost ⇒ String
Returns the Virtual Host name for the target Web Server.
39 40 41 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 39 def vhost @vhost end |
Instance Method Details
#attempt_login(credential) ⇒ Result
Attempt a single login with a single credential against the target.
274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 274 def attempt_login(credential) result_opts = { credential: credential, status: Metasploit::Model::Login::Status::INCORRECT, proof: nil, host: host, port: port, protocol: 'tcp' } if ssl result_opts[:service_name] = 'https' else result_opts[:service_name] = 'http' end request_opts = {'credential'=>credential, 'uri'=>uri, 'method'=>method} if keep_connection_alive request_opts[:http_client] = create_client(request_opts) end begin response = send_request(request_opts) if response && http_success_codes.include?(response.code) result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers) end rescue Rex::ConnectionError => e result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e) rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e mapped_err = Metasploit::Framework::LoginScanner::Kerberos.login_status_for_kerberos_error(e) result_opts.merge!(status: mapped_err, proof: e) ensure if request_opts.key?(:http_client) if result_opts[:status] == Metasploit::Model::Login::Status::SUCCESSFUL result_opts[:connection] = request_opts[:http_client] else request_opts[:http_client].close end end end Result.new(result_opts) end |
#check_setup ⇒ Object
202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 202 def check_setup http_client = Rex::Proto::Http::Client.new( host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies, http_username, http_password ) request = http_client.request_cgi( 'uri' => uri, 'method' => method ) begin # Use _send_recv instead of send_recv to skip automatic # authentication response = http_client._send_recv(request) rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error return "Unable to connect to target" end if !(response && response.code == 401 && response.headers['WWW-Authenticate']) = "No authentication required" else = false end end |
#send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass
Sends a HTTP request with Rex
241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 |
# File 'lib/metasploit/framework/login_scanner/http.rb', line 241 def send_request(opts) close_client = !opts.key?(:http_client) cli = opts.fetch(:http_client) { create_client(opts) } begin cli.connect req = cli.request_cgi(opts) # Authenticate by default res = if opts['authenticate'].nil? || opts['authenticate'] cli.send_recv(req) else cli._send_recv(req) end rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e raise Rex::ConnectionError, e. ensure # If we didn't create the client, don't close it if close_client cli.close end end res end |