metasploit-framework/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'F5 Management Interface Scanner',
      'Description'   => %q{
        This module simply detects web management interface of the following F5 Networks devices: BigIP, BigIQ, Enterprise Manager, ARX, and FirePass.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Denis Kolegov <dnkolegov[at]gmail.com>',
          'Oleg Broslavsky <ovbroslavsky[at]gmail.com>',
          'Nikita Oleksov <neoleksov[at]gmail.com>'
        ],
      'DefaultOptions' =>
        {
          'SSL' => true,
          'SSLVersion' => 'TLS1',
          'RPORT' => 443
        }
    ))

    register_options(
        [
          OptInt.new('TIMEOUT', [true, "Timeout for the HTTPS probe in milliseconds", 1000])
        ], self.class)
  end

  def port_open?(to, verbose)
    begin
      ::Timeout.timeout(to) do
        begin
          res = send_request_raw('method' => 'GET', 'uri' => '/')
          return true if res
        rescue ::Rex::ConnectionRefused
          print_status("#{peer} - TCP port closed") if verbose
          return false
        rescue ::Rex::ConnectionError
          print_error("#{peer} - Connection failed") if verbose
          return false
        rescue ::OpenSSL::SSL::SSLError
          print_error("#{peer} - SSL/TLS connection error") if verbose
          return false
        rescue => e
          print_error("#{peer} - Connection failed") if verbose
        end
      end
    rescue Timeout::Error
      print_error("#{peer} - HTTP connection timed out") if verbose
      return false
    end
  end

  def run_host(ip)
    # Test if a RPORT on a remote host is reachable using HTTPClient
    to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
    verbose = datastore['VERBOSE']
    return unless port_open?(to, verbose)

    res = send_request_raw('method' => 'GET', 'uri' => '/')
    if res && res.code == 200

      # Detect BigIP management interface
      if res.body =~ /<title>BIG\-IP/
        print_status("#{peer} - F5 BigIP web management interface found")
        return
      end

      # Detect EM management interface
      if res.body =~ /<title>Enterprise Manager/
        print_status("#{peer} - F5 Enterprise Manager web management interface found")
        return
      end

      # Detect ARX management interface
      if res.body =~ /<title>F5 ARX Manager Login<\/title>/
        print_status("#{peer} - ARX web management interface found")
        return
      end
    end

    res = send_request_raw('method' => 'GET', 'uri' => '/ui/login/', 'rport' => rport)

    # Detect BigIQ management interface
    if res && res.code == 200 && res.body =~ /<title>BIG\-IQ/
      print_status("#{peer} - F5 BigIQ web management interface found")
      return
    end

    # Detect FirePass management interface
    res = send_request_raw('method' => 'GET', 'uri' => '/admin/', 'rport' => rport)
    if res && res.code == 200 && res.body =~ /<br><br><br><big><b>&nbsp;FirePass/
      print_status("#{peer} - F5 FirePass web management interface found")
      return
    end
  end
end
Add scanner for F5 web management interfaces 2015-03-12 10:50:29 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Scanner`

Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'F5 Management Interface Scanner',`
			`'Description' => %q{`
			`This module simply detects web management interface of the following F5 Networks devices: BigIP, BigIQ, Enterprise Manager, ARX, and FirePass.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Denis Kolegov <dnkolegov[at]gmail.com>',`
			`'Oleg Broslavsky <ovbroslavsky[at]gmail.com>',`
			`'Nikita Oleksov <neoleksov[at]gmail.com>'`
			`],`
Deleted spaces at EOL 2015-03-23 08:34:38 +00:00			`'DefaultOptions' =>`
Deleted default options and SYN scan 2015-03-23 08:31:08 +00:00			`{`
			`'SSL' => true,`
			`'SSLVersion' => 'TLS1',`
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`'RPORT' => 443`
Deleted default options and SYN scan 2015-03-23 08:31:08 +00:00			`}`
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`))`
Add SSL/TLS support, fix minor errors, change default parameters 2015-03-17 06:49:11 +00:00
Deleted default options and SYN scan 2015-03-23 08:31:08 +00:00			`register_options(`
			`[`
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`OptInt.new('TIMEOUT', [true, "Timeout for the HTTPS probe in milliseconds", 1000])`
Deleted default options and SYN scan 2015-03-23 08:31:08 +00:00			`], self.class)`
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`end`
Add scanner for F5 web management interfaces 2015-03-12 10:50:29 +00:00
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`def port_open?(to, verbose)`
			`begin`
			`::Timeout.timeout(to) do`
			`begin`
Fixed bugs 2015-05-02 09:09:03 +00:00			`res = send_request_raw('method' => 'GET', 'uri' => '/')`
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`return true if res`
			`rescue ::Rex::ConnectionRefused`
			`print_status("#{peer} - TCP port closed") if verbose`
			`return false`
			`rescue ::Rex::ConnectionError`
			`print_error("#{peer} - Connection failed") if verbose`
			`return false`
			`rescue ::OpenSSL::SSL::SSLError`
			`print_error("#{peer} - SSL/TLS connection error") if verbose`
			`return false`
Add BigIP HTTP VS scanner and fix connection errors 2015-04-03 06:30:03 +00:00			`rescue => e`
			`print_error("#{peer} - Connection failed") if verbose`
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`end`
			`end`
			`rescue Timeout::Error`
			`print_error("#{peer} - HTTP connection timed out") if verbose`
			`return false`
			`end`
Add scanner for F5 web management interfaces 2015-03-12 10:50:29 +00:00			`end`

			`def run_host(ip)`
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`# Test if a RPORT on a remote host is reachable using HTTPClient`
Add scanner for F5 web management interfaces 2015-03-12 10:50:29 +00:00			`to = (datastore['TIMEOUT'] \|\| 500).to_f / 1000.0`
Deleted default options and SYN scan 2015-03-23 08:31:08 +00:00			`verbose = datastore['VERBOSE']`
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`return unless port_open?(to, verbose)`

Fixed bugs 2015-05-02 09:09:03 +00:00			`res = send_request_raw('method' => 'GET', 'uri' => '/')`
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`if res && res.code == 200`

			`# Detect BigIP management interface`
			`if res.body =~ /<title>BIG\-IP/`
			`print_status("#{peer} - F5 BigIP web management interface found")`
			`return`
			`end`

			`# Detect EM management interface`
			`if res.body =~ /<title>Enterprise Manager/`
			`print_status("#{peer} - F5 Enterprise Manager web management interface found")`
			`return`
			`end`

			`# Detect ARX management interface`
			`if res.body =~ /<title>F5 ARX Manager Login<\/title>/`
			`print_status("#{peer} - ARX web management interface found")`
			`return`
			`end`
			`end`
Add scanner for F5 web management interfaces 2015-03-12 10:50:29 +00:00
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`res = send_request_raw('method' => 'GET', 'uri' => '/ui/login/', 'rport' => rport)`
Add scanner for F5 web management interfaces 2015-03-12 10:50:29 +00:00
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`# Detect BigIQ management interface`
			`if res && res.code == 200 && res.body =~ /<title>BIG\-IQ/`
			`print_status("#{peer} - F5 BigIQ web management interface found")`
			`return`
Deleted default options and SYN scan 2015-03-23 08:31:08 +00:00			`end`
Deleted spaces at EOL 2015-03-23 08:34:38 +00:00
Delete useless ecnryption cookie detection, fix minor issues 2015-03-25 06:34:33 +00:00			`# Detect FirePass management interface`
			`res = send_request_raw('method' => 'GET', 'uri' => '/admin/', 'rport' => rport)`
			`if res && res.code == 200 && res.body =~ /<br><br><br><big><b> FirePass/`
			`print_status("#{peer} - F5 FirePass web management interface found")`
			`return`
			`end`
Add SSL/TLS support, fix minor errors, change default parameters 2015-03-17 06:49:11 +00:00			`end`
Add scanner for F5 web management interfaces 2015-03-12 10:50:29 +00:00			`end`