Class: Metasploit::Framework::LoginScanner::SoftingSIS
- Defined in:
- lib/metasploit/framework/login_scanner/softing_sis.rb
Constant Summary collapse
- DEFAULT_PORT =
8099
- DEFAULT_SSL_PORT =
443
- PRIVATE_TYPES =
[ :password ]
- LOGIN_STATUS =
Metasploit::Model::Login::Status
Constants inherited from HTTP
HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY
Instance Attribute Summary
Attributes inherited from HTTP
#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost
Instance Method Summary collapse
-
#attempt_login(credential) ⇒ Result
Attempts to login to Softing Secure Integration Server.
-
#check_setup ⇒ Boolean
Check if the target is Softing Secure Integration Server.
-
#do_login(user, pass) ⇒ Hash
the actual login method, called by #attempt_login.
Methods inherited from HTTP
Instance Method Details
#attempt_login(credential) ⇒ Result
Attempts to login to Softing Secure Integration Server
118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 |
# File 'lib/metasploit/framework/login_scanner/softing_sis.rb', line 118 def attempt_login(credential) result_opts = { credential: credential, status: Metasploit::Model::Login::Status::INCORRECT, proof: nil, host: host, port: port, protocol: 'tcp' } begin result_opts.merge!(do_login(credential.public, credential.private)) rescue ::Rex::ConnectionError => e # something went wrong during login result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.) end Result.new(result_opts) end |
#check_setup ⇒ Boolean
Check if the target is Softing Secure Integration Server
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
# File 'lib/metasploit/framework/login_scanner/softing_sis.rb', line 16 def check_setup # we can interact with this endpoint as an unauthenticated user uri = normalize_uri("#{uri}/runtime/core/product-version") res = send_request({ 'uri' => uri }) # make sure we get a response, and that the check was successful unless res && res.code == 200 return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: res.to_s } end # convert the response to JSON # we expect to see a response like {"version" : "1.22.0.8686"} res_json = res.get_json_document # if we successfully get the version if res_json['version'] # return true return res_json['version'] end false end |
#do_login(user, pass) ⇒ Hash
the actual login method, called by #attempt_login
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
# File 'lib/metasploit/framework/login_scanner/softing_sis.rb', line 44 def do_login(user, pass) # prep the data needed for login protocol = ssl ? 'https' : 'http' # attempt to get an authentication token auth_token_uri = normalize_uri("#{uri}/runtime/core/user/#{user}/authentication-token") # send the request to get an authentication token auth_res = send_request({ 'method' => 'GET', 'uri' => auth_token_uri, 'cookie' => 'lang=en; user=guest' }) # check if we get a response unless auth_res return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: auth_res.to_s } end # convert the response to JSON auth_json = auth_res.get_json_document # if the response code is 404, the user does not exist if auth_res.code == 404 && auth_json && auth_json['Message'] return { status: LOGIN_STATUS::INCORRECT, proof: auth_json['Message'] } end # if the response code is 403, the user exists but access is denied if auth_res.code == 403 && auth_json && auth_json['Message'] return { status: LOGIN_STATUS::DENIED_ACCESS, proof: auth_json['Message'] } end # get authentication token auth_token = auth_json['authentication-token'] # check that the token is not blank if auth_token.blank? framework_module.vprint_error('Received empty authentication token!') return { status: LOGIN_STATUS::INCORRECT, proof: auth_res.body.to_s } end login_uri = normalize_uri("#{uri}/runtime/core/user/#{user}/authentication") # calculate signature to use when logging in signature = Digest::MD5.hexdigest(auth_token + pass + auth_token + user + auth_token) # GET parameters for login vars_get = { 'Signature' => signature, 'User' => user } # do the login res = send_request({ 'method' => 'GET', 'uri' => login_uri, 'cookie' => 'lang=en; user=guest', 'headers' => { 'Referer' => "#{protocol}://#{host}:#{port}" }, 'vars_get' => vars_get }) unless res return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: res.to_s } end # the response is in JSON format res_json = res.get_json_document # a successful response will contain {"Message": "Success"} if res.code == 200 && res_json && res_json['Message'] == 'Success' return { status: LOGIN_STATUS::SUCCESSFUL, proof: res.body } end { status: LOGIN_STATUS::INCORRECT, proof: res.body } end |