Class: Metasploit::Framework::LoginScanner::SoftingSIS

Inherits:
HTTP
  • Object
show all
Defined in:
lib/metasploit/framework/login_scanner/softing_sis.rb

Constant Summary collapse

DEFAULT_PORT =
8099
DEFAULT_SSL_PORT =
443
PRIVATE_TYPES =
[ :password ]
LOGIN_STATUS =
Metasploit::Model::Login::Status

Constants inherited from HTTP

HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary collapse

Methods inherited from HTTP

#send_request

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempts to login to Softing Secure Integration Server

Parameters:

Returns:

  • (Result)

    A Result object indicating success or failure



118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# File 'lib/metasploit/framework/login_scanner/softing_sis.rb', line 118

def (credential)
  result_opts = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp'
  }

  begin
    result_opts.merge!((credential.public, credential.private))
  rescue ::Rex::ConnectionError => e
    # something went wrong during login
    result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
  end

  Result.new(result_opts)
end

#check_setupBoolean

Check if the target is Softing Secure Integration Server

Returns:

  • (Boolean)

    TrueClass if target is SIS, otherwise FalseClass



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# File 'lib/metasploit/framework/login_scanner/softing_sis.rb', line 16

def check_setup
  # we can interact with this endpoint as an unauthenticated user
  uri = normalize_uri("#{uri}/runtime/core/product-version")
  res = send_request({ 'uri' => uri })
  # make sure we get a response, and that the check was successful
  unless res && res.code == 200
    return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: res.to_s }
  end

  # convert the response to JSON
  # we expect to see a response like {"version" : "1.22.0.8686"}
  res_json = res.get_json_document
  # if we successfully get the version
  if res_json['version']
    # return true
    return res_json['version']
  end

  false
end

#do_login(user, pass) ⇒ Hash

the actual login method, called by #attempt_login

Parameters:

  • user (String)

    The username to try

  • pass (String)

    The password to try

Returns:

  • (Hash)
    • status [Metasploit::Model::Login::Status]

    • proof [String] the HTTP response body



44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# File 'lib/metasploit/framework/login_scanner/softing_sis.rb', line 44

def (user, pass)
  # prep the data needed for login
  protocol = ssl ? 'https' : 'http'
  # attempt to get an authentication token
  auth_token_uri = normalize_uri("#{uri}/runtime/core/user/#{user}/authentication-token")

  # send the request to get an authentication token
  auth_res = send_request({
    'method' => 'GET',
    'uri' => auth_token_uri,
    'cookie' => 'lang=en; user=guest'
  })

  # check if we get a response
  unless auth_res
    return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: auth_res.to_s }
  end

  # convert the response to JSON
  auth_json = auth_res.get_json_document
  # if the response code is 404, the user does not exist
  if auth_res.code == 404 && auth_json && auth_json['Message']
    return { status: LOGIN_STATUS::INCORRECT, proof: auth_json['Message'] }
  end

  # if the response code is 403, the user exists but access is denied
  if auth_res.code == 403 && auth_json && auth_json['Message']
    return { status: LOGIN_STATUS::DENIED_ACCESS, proof: auth_json['Message'] }
  end

  # get authentication token
  auth_token = auth_json['authentication-token']
  # check that the token is not blank
  if auth_token.blank?
    framework_module.vprint_error('Received empty authentication token!')
    return { status: LOGIN_STATUS::INCORRECT, proof: auth_res.body.to_s }
  end

   = normalize_uri("#{uri}/runtime/core/user/#{user}/authentication")
  # calculate signature to use when logging in
  signature = Digest::MD5.hexdigest(auth_token + pass + auth_token + user + auth_token)
  # GET parameters for login
  vars_get = {
    'Signature' => signature,
    'User' => user
  }

  # do the login
  res = send_request({
    'method' => 'GET',
    'uri' => ,
    'cookie' => 'lang=en; user=guest',
    'headers' => { 'Referer' => "#{protocol}://#{host}:#{port}" },
    'vars_get' => vars_get
  })

  unless res
    return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: res.to_s }
  end

  # the response is in JSON format
  res_json = res.get_json_document
  # a successful response will contain {"Message": "Success"}
  if res.code == 200 && res_json && res_json['Message'] == 'Success'
    return { status: LOGIN_STATUS::SUCCESSFUL, proof: res.body }
  end

  { status: LOGIN_STATUS::INCORRECT, proof: res.body }
end