Class: Metasploit::Framework::LoginScanner::SymantecWebGateway
- Defined in:
- lib/metasploit/framework/login_scanner/symantec_web_gateway.rb
Constant Summary collapse
- DEFAULT_PORT =
443
- PRIVATE_TYPES =
[ :password ]
- LOGIN_STATUS =
Shorter name
Metasploit::Model::Login::Status
Constants inherited from HTTP
HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY
Instance Attribute Summary
Attributes inherited from HTTP
#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost
Instance Method Summary collapse
-
#attempt_login(credential) ⇒ Result
Attempts to login to Symantec Web Gateway.
-
#check_setup ⇒ Boolean
Checks if the target is Symantec Web Gateway.
-
#get_last_sid ⇒ String
Returns the latest sid from Symantec Web Gateway.
-
#get_login_state(username, password) ⇒ Hash
Actually doing the login.
Methods inherited from HTTP
Instance Method Details
#attempt_login(credential) ⇒ Result
Attempts to login to Symantec Web Gateway. This is called first.
97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
# File 'lib/metasploit/framework/login_scanner/symantec_web_gateway.rb', line 97 def attempt_login(credential) result_opts = { credential: credential, status: Metasploit::Model::Login::Status::INCORRECT, proof: nil, host: host, port: port, protocol: 'tcp' } begin result_opts.merge!(get_login_state(credential.public, credential.private)) rescue ::Rex::ConnectionError => e # Something went wrong during login. 'e' knows what's up. result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.) end Result.new(result_opts) end |
#check_setup ⇒ Boolean
Checks if the target is Symantec Web Gateway. The login module should call this.
18 19 20 21 22 23 24 25 26 27 |
# File 'lib/metasploit/framework/login_scanner/symantec_web_gateway.rb', line 18 def check_setup login_uri = normalize_uri("#{uri}/spywall/login.php") res = send_request({'uri'=> login_uri}) if res && res.body.include?('Symantec Web Gateway') return true end false end |
#get_last_sid ⇒ String
Returns the latest sid from Symantec Web Gateway.
33 34 35 36 37 38 39 40 41 42 43 44 45 |
# File 'lib/metasploit/framework/login_scanner/symantec_web_gateway.rb', line 33 def get_last_sid @last_sid ||= lambda { # We don't have a session ID. Well, let's grab one right quick from the login page. # This should probably only happen once (initially). login_uri = normalize_uri("#{uri}/spywall/login.php") res = send_request({'uri' => login_uri}) return '' unless res = res. @last_sid = .scan(/(PHPSESSID=\w+);*/).flatten[0] || '' }.call end |
#get_login_state(username, password) ⇒ Hash
Actually doing the login. Called by #attempt_login
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 |
# File 'lib/metasploit/framework/login_scanner/symantec_web_gateway.rb', line 55 def get_login_state(username, password) # Prep the data needed for login sid = get_last_sid protocol = ssl ? 'https' : 'http' peer = "#{host}:#{port}" login_uri = normalize_uri("#{uri}/spywall/login.php") res = send_request({ 'uri' => login_uri, 'method' => 'POST', 'cookie' => sid, 'headers' => { 'Referer' => "#{protocol}://#{peer}/#{login_uri}" }, 'vars_post' => { 'USERNAME' => username, 'PASSWORD' => password, 'loginBtn' => 'Login' # Found in the HTML form } }) unless res return {:status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s} end # After login, the application should give us a new SID = res. sid = .scan(/(PHPSESSID=\w+);*/).flatten[0] || '' @last_sid = sid # Update our SID if res.headers['Location'].to_s.include?('executive_summary.php') && !sid.blank? return {:status => LOGIN_STATUS::SUCCESSFUL, :proof => res.to_s} end {:status => LOGIN_STATUS::INCORRECT, :proof => res.to_s} end |