Class: Metasploit::Framework::LoginScanner::SymantecWebGateway

Inherits:
HTTP
  • Object
show all
Defined in:
lib/metasploit/framework/login_scanner/symantec_web_gateway.rb

Constant Summary collapse

DEFAULT_PORT =
443
PRIVATE_TYPES =
[ :password ]
LOGIN_STATUS =

Shorter name

Metasploit::Model::Login::Status

Constants inherited from HTTP

HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary collapse

Methods inherited from HTTP

#send_request

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempts to login to Symantec Web Gateway. This is called first.

Parameters:

Returns:

  • (Result)

    A Result object indicating success or failure



97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# File 'lib/metasploit/framework/login_scanner/symantec_web_gateway.rb', line 97

def (credential)
  result_opts = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp'
  }

  begin
    result_opts.merge!((credential.public, credential.private))
  rescue ::Rex::ConnectionError => e
    # Something went wrong during login. 'e' knows what's up.
    result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
  end

  Result.new(result_opts)
end

#check_setupBoolean

Checks if the target is Symantec Web Gateway. The login module should call this.

Returns:

  • (Boolean)

    TrueClass if target is SWG, otherwise FalseClass



18
19
20
21
22
23
24
25
26
27
# File 'lib/metasploit/framework/login_scanner/symantec_web_gateway.rb', line 18

def check_setup
   = normalize_uri("#{uri}/spywall/login.php")
  res = send_request({'uri'=> })

  if res && res.body.include?('Symantec Web Gateway')
    return true
  end

  false
end

#get_last_sidString

Returns the latest sid from Symantec Web Gateway.

Returns:

  • (String)

    The PHP Session ID for Symantec Web Gateway login



33
34
35
36
37
38
39
40
41
42
43
44
45
# File 'lib/metasploit/framework/login_scanner/symantec_web_gateway.rb', line 33

def get_last_sid
  @last_sid ||= lambda {
    # We don't have a session ID. Well, let's grab one right quick from the login page.
    # This should probably only happen once (initially).
     = normalize_uri("#{uri}/spywall/login.php")
    res = send_request({'uri' => })

    return '' unless res

    cookies = res.get_cookies
    @last_sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''
  }.call
end

#get_login_state(username, password) ⇒ Hash

Actually doing the login. Called by #attempt_login

Parameters:

  • username (String)

    The username to try

  • password (String)

    The password to try

Returns:

  • (Hash)
    • :status [Metasploit::Model::Login::Status]

    • :proof [String] the HTTP response body



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# File 'lib/metasploit/framework/login_scanner/symantec_web_gateway.rb', line 55

def (username, password)
  # Prep the data needed for login
  sid       = get_last_sid
  protocol  = ssl ? 'https' : 'http'
  peer      = "#{host}:#{port}"
   = normalize_uri("#{uri}/spywall/login.php")

  res = send_request({
    'uri' => ,
    'method' => 'POST',
    'cookie' => sid,
    'headers' => {
      'Referer' => "#{protocol}://#{peer}/#{}"
    },
    'vars_post' => {
      'USERNAME' => username,
      'PASSWORD' => password,
      'loginBtn' => 'Login' # Found in the HTML form
    }
  })

  unless res
    return {:status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s}
  end

  # After login, the application should give us a new SID
  cookies = res.get_cookies
  sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''
  @last_sid = sid # Update our SID

  if res.headers['Location'].to_s.include?('executive_summary.php') && !sid.blank?
    return {:status => LOGIN_STATUS::SUCCESSFUL, :proof => res.to_s}
  end

  {:status => LOGIN_STATUS::INCORRECT, :proof => res.to_s}
end