Class: Metasploit::Framework::LoginScanner::HTTP

Inherits:
Object
  • Object
show all
Includes:
Base, RexSocket
Defined in:
lib/metasploit/framework/login_scanner/http.rb

Overview

HTTP-specific login scanner.

Constant Summary collapse

DEFAULT_REALM =
nil
DEFAULT_PORT =
80
DEFAULT_SSL_PORT =
443
LIKELY_PORTS =
[ 80, 443, 8000, 8080 ]
LIKELY_SERVICE_NAMES =
[ 'http', 'https' ]
PRIVATE_TYPES =
[ :password ]
REALM_KEY =
Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#digest_auth_iisBoolean

Returns Whether to conform to IIS digest authentication mode.

Returns:

  • (Boolean)

    Whether to conform to IIS digest authentication mode.


162
163
164
# File 'lib/metasploit/framework/login_scanner/http.rb', line 162

def digest_auth_iis
  @digest_auth_iis
end

#evade_header_foldingBoolean

Returns Whether to enable folding of HTTP headers.

Returns:

  • (Boolean)

    Whether to enable folding of HTTP headers


130
131
132
# File 'lib/metasploit/framework/login_scanner/http.rb', line 130

def evade_header_folding
  @evade_header_folding
end

#evade_method_random_caseBoolean

Returns Whether to use random casing for the HTTP method.

Returns:

  • (Boolean)

    Whether to use random casing for the HTTP method


74
75
76
# File 'lib/metasploit/framework/login_scanner/http.rb', line 74

def evade_method_random_case
  @evade_method_random_case
end

#evade_method_random_invalidBoolean

Returns Whether to use a random invalid, HTTP method for request.

Returns:

  • (Boolean)

    Whether to use a random invalid, HTTP method for request


70
71
72
# File 'lib/metasploit/framework/login_scanner/http.rb', line 70

def evade_method_random_invalid
  @evade_method_random_invalid
end

#evade_method_random_validBoolean

Returns Whether to use a random, but valid, HTTP method for request.

Returns:

  • (Boolean)

    Whether to use a random, but valid, HTTP method for request


66
67
68
# File 'lib/metasploit/framework/login_scanner/http.rb', line 66

def evade_method_random_valid
  @evade_method_random_valid
end

#evade_pad_fake_headersBoolean

Returns Whether to insert random, fake headers into the HTTP request.

Returns:

  • (Boolean)

    Whether to insert random, fake headers into the HTTP request


98
99
100
# File 'lib/metasploit/framework/login_scanner/http.rb', line 98

def evade_pad_fake_headers
  @evade_pad_fake_headers
end

#evade_pad_fake_headers_countInteger

Returns How many fake headers to insert into the HTTP request.

Returns:

  • (Integer)

    How many fake headers to insert into the HTTP request


102
103
104
# File 'lib/metasploit/framework/login_scanner/http.rb', line 102

def evade_pad_fake_headers_count
  @evade_pad_fake_headers_count
end

#evade_pad_get_paramsBoolean

Returns Whether to insert random, fake query string variables into the request.

Returns:

  • (Boolean)

    Whether to insert random, fake query string variables into the request


106
107
108
# File 'lib/metasploit/framework/login_scanner/http.rb', line 106

def evade_pad_get_params
  @evade_pad_get_params
end

#evade_pad_get_params_countInteger

Returns How many fake query string variables to insert into the request.

Returns:

  • (Integer)

    How many fake query string variables to insert into the request


110
111
112
# File 'lib/metasploit/framework/login_scanner/http.rb', line 110

def evade_pad_get_params_count
  @evade_pad_get_params_count
end

#evade_pad_method_uri_countInteger

Returns How many whitespace characters to use between the method and uri.

Returns:

  • (Integer)

    How many whitespace characters to use between the method and uri


50
51
52
# File 'lib/metasploit/framework/login_scanner/http.rb', line 50

def evade_pad_method_uri_count
  @evade_pad_method_uri_count
end

#evade_pad_method_uri_typeString

Returns What type of whitespace to use between the method and uri.

Returns:

  • (String)

    What type of whitespace to use between the method and uri


58
59
60
# File 'lib/metasploit/framework/login_scanner/http.rb', line 58

def evade_pad_method_uri_type
  @evade_pad_method_uri_type
end

#evade_pad_post_paramsBoolean

Returns Whether to insert random, fake post variables into the request.

Returns:

  • (Boolean)

    Whether to insert random, fake post variables into the request


114
115
116
# File 'lib/metasploit/framework/login_scanner/http.rb', line 114

def evade_pad_post_params
  @evade_pad_post_params
end

#evade_pad_post_params_countInteger

Returns How many fake post variables to insert into the request.

Returns:

  • (Integer)

    How many fake post variables to insert into the request


118
119
120
# File 'lib/metasploit/framework/login_scanner/http.rb', line 118

def evade_pad_post_params_count
  @evade_pad_post_params_count
end

#evade_pad_uri_version_countInteger

Returns How many whitespace characters to use between the uri and version.

Returns:

  • (Integer)

    How many whitespace characters to use between the uri and version


54
55
56
# File 'lib/metasploit/framework/login_scanner/http.rb', line 54

def evade_pad_uri_version_count
  @evade_pad_uri_version_count
end

#evade_pad_uri_version_typeString

Returns What type of whitespace to use between the uri and version.

Returns:

  • (String)

    What type of whitespace to use between the uri and version


62
63
64
# File 'lib/metasploit/framework/login_scanner/http.rb', line 62

def evade_pad_uri_version_type
  @evade_pad_uri_version_type
end

#evade_uri_dir_fake_relativeBoolean

Returns Whether to insert fake relative directories into the uri.

Returns:

  • (Boolean)

    Whether to insert fake relative directories into the uri


90
91
92
# File 'lib/metasploit/framework/login_scanner/http.rb', line 90

def evade_uri_dir_fake_relative
  @evade_uri_dir_fake_relative
end

#evade_uri_dir_self_referenceBoolean

Returns Whether to insert self-referential directories into the uri.

Returns:

  • (Boolean)

    Whether to insert self-referential directories into the uri


86
87
88
# File 'lib/metasploit/framework/login_scanner/http.rb', line 86

def evade_uri_dir_self_reference
  @evade_uri_dir_self_reference
end

#evade_uri_encode_modeString

Returns The type of URI encoding to use.

Returns:

  • (String)

    The type of URI encoding to use


42
43
44
# File 'lib/metasploit/framework/login_scanner/http.rb', line 42

def evade_uri_encode_mode
  @evade_uri_encode_mode
end

#evade_uri_fake_endBoolean

Returns Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../).

Returns:

  • (Boolean)

    Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../)


122
123
124
# File 'lib/metasploit/framework/login_scanner/http.rb', line 122

def evade_uri_fake_end
  @evade_uri_fake_end
end

#evade_uri_fake_params_startBoolean

Returns Whether to add a fake start of params to the URI (eg: /%3fa=b/../).

Returns:

  • (Boolean)

    Whether to add a fake start of params to the URI (eg: /%3fa=b/../)


126
127
128
# File 'lib/metasploit/framework/login_scanner/http.rb', line 126

def evade_uri_fake_params_start
  @evade_uri_fake_params_start
end

#evade_uri_full_urlBoolean

Returns Whether to use the full URL for all HTTP requests.

Returns:

  • (Boolean)

    Whether to use the full URL for all HTTP requests


46
47
48
# File 'lib/metasploit/framework/login_scanner/http.rb', line 46

def evade_uri_full_url
  @evade_uri_full_url
end

#evade_uri_use_backslashesBoolean

Returns Whether to use back slashes instead of forward slashes in the uri.

Returns:

  • (Boolean)

    Whether to use back slashes instead of forward slashes in the uri


94
95
96
# File 'lib/metasploit/framework/login_scanner/http.rb', line 94

def evade_uri_use_backslashes
  @evade_uri_use_backslashes
end

#evade_version_random_invalidBoolean

Returns Whether to use a random invalid, HTTP version for request.

Returns:

  • (Boolean)

    Whether to use a random invalid, HTTP version for request


82
83
84
# File 'lib/metasploit/framework/login_scanner/http.rb', line 82

def evade_version_random_invalid
  @evade_version_random_invalid
end

#evade_version_random_validBoolean

Returns Whether to use a random, but valid, HTTP version for request.

Returns:

  • (Boolean)

    Whether to use a random, but valid, HTTP version for request


78
79
80
# File 'lib/metasploit/framework/login_scanner/http.rb', line 78

def evade_version_random_valid
  @evade_version_random_valid
end

#http_passwordString

Returns:

  • (String)

170
171
172
# File 'lib/metasploit/framework/login_scanner/http.rb', line 170

def http_password
  @http_password
end

#http_usernameString

Returns:

  • (String)

166
167
168
# File 'lib/metasploit/framework/login_scanner/http.rb', line 166

def http_username
  @http_username
end

#methodObject

Returns the value of attribute method


30
31
32
# File 'lib/metasploit/framework/login_scanner/http.rb', line 30

def method
  @method
end

#ntlm_domainString

Returns The NTLM domain to use during authentication.

Returns:

  • (String)

    The NTLM domain to use during authentication


158
159
160
# File 'lib/metasploit/framework/login_scanner/http.rb', line 158

def ntlm_domain
  @ntlm_domain
end

#ntlm_send_lmBoolean

Returns Whether to always send the LANMAN response (except when NTLMv2_session is specified).

Returns:

  • (Boolean)

    Whether to always send the LANMAN response (except when NTLMv2_session is specified)


142
143
144
# File 'lib/metasploit/framework/login_scanner/http.rb', line 142

def ntlm_send_lm
  @ntlm_send_lm
end

#ntlm_send_ntlmBoolean

Returns Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses.

Returns:

  • (Boolean)

    Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses


146
147
148
# File 'lib/metasploit/framework/login_scanner/http.rb', line 146

def ntlm_send_ntlm
  @ntlm_send_ntlm
end

#ntlm_send_spnBoolean

Returns Whether to send an avp of type SPN in the NTLMv2 client blob.

Returns:

  • (Boolean)

    Whether to send an avp of type SPN in the NTLMv2 client blob.


150
151
152
# File 'lib/metasploit/framework/login_scanner/http.rb', line 150

def ntlm_send_spn
  @ntlm_send_spn
end

#ntlm_use_lm_keyBoolean

Returns Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent.

Returns:

  • (Boolean)

    Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent


154
155
156
# File 'lib/metasploit/framework/login_scanner/http.rb', line 154

def ntlm_use_lm_key
  @ntlm_use_lm_key
end

#ntlm_use_ntlmv2Boolean

Returns Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled.

Returns:

  • (Boolean)

    Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled


138
139
140
# File 'lib/metasploit/framework/login_scanner/http.rb', line 138

def ntlm_use_ntlmv2
  @ntlm_use_ntlmv2
end

#ntlm_use_ntlmv2_sessionBoolean

Returns Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session.

Returns:

  • (Boolean)

    Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session


134
135
136
# File 'lib/metasploit/framework/login_scanner/http.rb', line 134

def ntlm_use_ntlmv2_session
  @ntlm_use_ntlmv2_session
end

#uriString

Returns HTTP method, e.g. “GET”, “POST”.

Returns:

  • (String)

    HTTP method, e.g. “GET”, “POST”


26
27
28
# File 'lib/metasploit/framework/login_scanner/http.rb', line 26

def uri
  @uri
end

#user_agentString

Returns the User-Agent to use for the HTTP requests.

Returns:

  • (String)

    the User-Agent to use for the HTTP requests


34
35
36
# File 'lib/metasploit/framework/login_scanner/http.rb', line 34

def user_agent
  @user_agent
end

#vhostString

Returns the Virtual Host name for the target Web Server.

Returns:

  • (String)

    the Virtual Host name for the target Web Server


38
39
40
# File 'lib/metasploit/framework/login_scanner/http.rb', line 38

def vhost
  @vhost
end

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempt a single login with a single credential against the target.

Parameters:

  • credential (Credential)

    The credential object to attempt to login with.

Returns:

  • (Result)

    A Result object indicating success or failure


271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
# File 'lib/metasploit/framework/login_scanner/http.rb', line 271

def (credential)
  result_opts = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp'
  }

  if ssl
    result_opts[:service_name] = 'https'
  else
    result_opts[:service_name] = 'http'
  end

  begin
    response = send_request('credential'=>credential, 'uri'=>uri, 'method'=>method)
    if response && response.code == 200
      result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers)
    end
  rescue Rex::ConnectionError => e
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
  end

  Result.new(result_opts)
end

#check_setupObject


180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
# File 'lib/metasploit/framework/login_scanner/http.rb', line 180

def check_setup
  http_client = Rex::Proto::Http::Client.new(
    host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies, http_username, http_password
  )
  request = http_client.request_cgi(
    'uri' => uri,
    'method' => method
  )

  begin
    # Use _send_recv instead of send_recv to skip automatic
    # authentication
    response = http_client._send_recv(request)
  rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
    error_message = "Unable to connect to target"
  end

  if !(response && response.code == 401 && response.headers['WWW-Authenticate'])
    error_message = "No authentication required"
  else
    error_message = false
  end

  error_message
end

#send_request(opts) ⇒ Rex::Proto::Http::Response, NilClass

Sends a HTTP request with Rex

Parameters:

  • opts (Hash)

    native support includes the following (also see Rex::Proto::Http::Request#request_cgi)

Options Hash (opts):

  • 'host' (String)

    The remote host

  • 'port' (Integer)

    The remote port

  • 'ssl' (Boolean)

    The SSL setting, TrueClass or FalseClass

  • 'proxies' (String)

    The proxies setting

  • 'credential' (Credential)

    A credential object

  • 'context' ('Hash')

    A context

Returns:

  • (Rex::Proto::Http::Response)

    The HTTP response

  • (NilClass)

    An error has occured while reading the response (see #Rex::Proto::Http::Client#read_response)

Raises:

  • (Rex::ConnectionError)

    One of these errors has occured: EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error


218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
# File 'lib/metasploit/framework/login_scanner/http.rb', line 218

def send_request(opts)
  rhost           = opts['host'] || host
  rport           = opts['rport'] || port
  cli_ssl         = opts['ssl'] || ssl
  cli_ssl_version = opts['ssl_version'] || ssl_version
  cli_proxies     = opts['proxies'] || proxies
  username        = opts['credential'] ? opts['credential'].public : http_username
  password        = opts['credential'] ? opts['credential'].private : http_password
  realm           = opts['credential'] ? opts['credential'].realm : nil
  context         = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module}

  res = nil
  cli = Rex::Proto::Http::Client.new(
    rhost,
    rport,
    context,
    cli_ssl,
    cli_ssl_version,
    cli_proxies,
    username,
    password
  )
  configure_http_client(cli)

  if realm
    cli.set_config('domain' => realm)
  end

  begin
    cli.connect
    req = cli.request_cgi(opts)
    # Authenticate by default
    res = if opts['authenticate'].nil? || opts['authenticate']
            cli.send_recv(req)
          else
            cli._send_recv(req)
          end
  rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
    raise Rex::ConnectionError, e.message
  ensure
    cli.close
  end

  res
end