metasploit-framework/modules/auxiliary/scanner/http/http_hsts.rb

57 lines
1.3 KiB
Ruby
Raw Normal View History

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
2012-11-30 14:30:11 +00:00
require 'msf/core'
2012-11-30 14:30:11 +00:00
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'HTTP Strict Transport Security (HSTS) Detection',
'Description' => %q{
Display HTTP Strict Transport Security (HSTS) information about each system.
},
'Author' => 'Matt "hostess" Andreko <mandreko[at]accuvant.com>',
2012-11-30 14:30:11 +00:00
'License' => MSF_LICENSE
))
2012-11-30 14:30:11 +00:00
register_options([
OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
2012-11-30 18:57:25 +00:00
Opt::RPORT(443)
2012-11-30 14:30:11 +00:00
])
end
def run_host(ip)
begin
res = send_request_cgi({
'uri' => '/',
'method' => 'GET',
2012-11-30 14:30:11 +00:00
}, 25)
hsts = res.headers['Strict-Transport-Security']
if res and hsts
print_good("#{ip}:#{rport} - Strict-Transport-Security:#{hsts}")
report_note({
:data => hsts,
2012-11-30 20:53:57 +00:00
:type => "hsts.data",
:host => ip,
:port => rport
})
2012-11-30 14:30:11 +00:00
else
print_error("#{ip}:#{rport} No HSTS found.")
end
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end