CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report8include Msf::Auxiliary::AuthBrute910include Msf::Auxiliary::Scanner1112def initialize13super(14'Name' => 'OpenVAS gsad Web Interface Login Utility',15'Description' => %q{16This module simply attempts to login to an OpenVAS gsad interface17using a specific user/pass.18},19'Author' => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],20'License' => MSF_LICENSE,21'DefaultOptions' => { 'SSL' => true }22)2324register_options(25[26Opt::RPORT(443),27OptString.new('URI', [true, "URI for OpenVAS omp login. Default is /omp", "/omp"]),28OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]),29])3031register_advanced_options(32[33OptString.new('OMP_text', [true, "value for OpenVAS omp text login hidden field", "/omp?cmd=get_tasks&overrides=1"]),34OptString.new('OMP_cmd', [true, "value for OpenVAS omp cmd login hidden field", "login"])35])36end3738def run_host(ip)39begin40res = send_request_cgi({41'uri' => datastore['URI'],42'method' => 'GET'43}, 25)44http_fingerprint({ :response => res })45rescue ::Rex::ConnectionError => e46vprint_error("#{msg} #{datastore['URI']} - #{e}")47return48end4950if not res51vprint_error("#{msg} #{datastore['URI']} - No response")52return53end54if res.code != 20055vprint_error("#{msg} - Expected 200 HTTP code - not gsad?")56return57end58if res.body !~ /Greenbone Security Assistant \(GSA\)/59vprint_error("#{msg} - Expected GSA keyword on page - not gsad?")60return61end6263each_user_pass do |user, pass|64do_login(user, pass)65end66end6768def do_login(user='openvas', pass='openvas')69vprint_status("#{msg} - Trying username:'#{user}' with password:'#{pass}'")70headers = {}71begin72res = send_request_cgi({73'encode' => true,74'uri' => datastore['URI'],75'method' => 'POST',76'headers' => headers,77'vars_post' => {78'cmd' => datastore['OMP_cmd'],79'text' => datastore['OMP_text'],80'login' => user,81'password' => pass82}83}, 25)8485rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT86print_error("#{msg} HTTP Connection Failed, Aborting")87return :abort88end8990if not res91print_error("#{msg} HTTP Connection Error - res, Aborting")92return :abort93end9495# vprint_status("#{msg} GOT BODY. '#{user}' : '#{pass}' - #{res.code} #{res.body}")9697if res.code == 30398print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")99100report_cred(101ip: datastore['RHOST'],102port: datastore['RPORT'],103service_name: 'openvas-gsa',104user: user,105password: pass,106proof: res.code.to_s107)108return :next_user109end110vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}'")111return :skip_pass112end113114def report_cred(opts)115service_data = {116address: opts[:ip],117port: opts[:port],118service_name: opts[:service_name],119protocol: 'tcp',120workspace_id: myworkspace_id121}122123credential_data = {124origin_type: :service,125module_fullname: fullname,126username: opts[:user],127private_data: opts[:password],128private_type: :password129}.merge(service_data)130131login_data = {132core: create_credential(credential_data),133status: Metasploit::Model::Login::Status::UNTRIED,134proof: opts[:proof]135}.merge(service_data)136137create_credential_login(login_data)138end139140def msg141"#{vhost}:#{rport} OpenVAS gsad -"142end143end144145146