Land #11035, improve fingerprinting for Cisco ASA VPN scanner

2018-11-29 16:41:22 -06:00 · 2018-11-29 16:41:22 -06:00 · 8ff838b9c7
parent 7a4d67d5f6
commit 8ff838b9c7
1 changed files with 18 additions and 48 deletions
--- a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
+++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
@ -99,68 +99,39 @@ class MetasploitModule < Msf::Auxiliary
    false
  end

+  def get_login_resource
+    send_request_cgi(
+      'uri' => '/+CSCOE+/logon.html',
+      'method' => 'GET',
+      'vars_get' => { 'fcadbadd' => "1" }
+    )
+  end
+
  def enumerate_vpn_groups
-    res = send_request_cgi(
-            'uri' => '/+CSCOE+/logon.html',
-            'method' => 'GET',
-          )
-
-    if res &&
-       res.code == 302
-
-      res = send_request_cgi(
-              'uri' => '/+CSCOE+/logon.html',
-              'method' => 'GET',
-              'vars_get' => { 'fcadbadd' => "1" }
-            )
-    end
-
    groups = Set.new
    group_name_regex = /<select id="group_list"  name="group_list" style="z-index:1(?:; float:left;)?" onchange="updateLogonForm\(this\.value,{(.*)}/

-    if res &&
-       match = res.body.match(group_name_regex)
-
+    res = get_login_resource
+    if res && match = res.body.match(group_name_regex)
      group_string = match[1]
      groups = group_string.scan(/'([\w\-0-9]+)'/).flatten.to_set
    end

-    return groups
+    groups
  end

  # Verify whether we're working with SSL VPN or not
  def is_app_ssl_vpn?
-    res = send_request_cgi(
-            'uri' => '/+CSCOE+/logon.html',
-            'method' => 'GET',
-          )
-
-    if res &&
-       res.code == 302
-
-      res = send_request_cgi(
-              'uri' => '/+CSCOE+/logon.html',
-              'method' => 'GET',
-              'vars_get' => { 'fcadbadd' => "1" }
-            )
-    end
-
-    if res &&
-       res.code == 200 &&
-       res.body.match(/webvpnlogin/)
-
-      return true
-    else
-      return false
-    end
+    res = get_login_resource
+    res && res.code == 200 && res.body.match(/webvpnlogin/)
  end

  def do_logout(cookie)
-    res = send_request_cgi(
-            'uri' => '/+webvpn+/webvpn_logout.html',
-            'method' => 'GET',
-            'cookie'    => cookie
-          )
+    send_request_cgi(
+      'uri' => '/+webvpn+/webvpn_logout.html',
+      'method' => 'GET',
+      'cookie' => cookie
+    )
  end

  def report_cred(opts)
@ -190,7 +161,6 @@ class MetasploitModule < Msf::Auxiliary
    create_credential_login(login_data)
  end

-
  # Brute-force the login page
  def do_login(user, pass, group)
    vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect} and group:#{group.inspect}")