Land #11035, improve fingerprinting for Cisco ASA VPN scanner

4.x
Jacob Robles 2018-11-29 16:41:22 -06:00 committed by Metasploit
parent 7a4d67d5f6
commit 8ff838b9c7
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
1 changed files with 18 additions and 48 deletions

View File

@ -99,64 +99,35 @@ class MetasploitModule < Msf::Auxiliary
false
end
def enumerate_vpn_groups
res = send_request_cgi(
'uri' => '/+CSCOE+/logon.html',
'method' => 'GET',
)
if res &&
res.code == 302
res = send_request_cgi(
def get_login_resource
send_request_cgi(
'uri' => '/+CSCOE+/logon.html',
'method' => 'GET',
'vars_get' => { 'fcadbadd' => "1" }
)
end
def enumerate_vpn_groups
groups = Set.new
group_name_regex = /<select id="group_list" name="group_list" style="z-index:1(?:; float:left;)?" onchange="updateLogonForm\(this\.value,{(.*)}/
if res &&
match = res.body.match(group_name_regex)
res = get_login_resource
if res && match = res.body.match(group_name_regex)
group_string = match[1]
groups = group_string.scan(/'([\w\-0-9]+)'/).flatten.to_set
end
return groups
groups
end
# Verify whether we're working with SSL VPN or not
def is_app_ssl_vpn?
res = send_request_cgi(
'uri' => '/+CSCOE+/logon.html',
'method' => 'GET',
)
if res &&
res.code == 302
res = send_request_cgi(
'uri' => '/+CSCOE+/logon.html',
'method' => 'GET',
'vars_get' => { 'fcadbadd' => "1" }
)
end
if res &&
res.code == 200 &&
res.body.match(/webvpnlogin/)
return true
else
return false
end
res = get_login_resource
res && res.code == 200 && res.body.match(/webvpnlogin/)
end
def do_logout(cookie)
res = send_request_cgi(
send_request_cgi(
'uri' => '/+webvpn+/webvpn_logout.html',
'method' => 'GET',
'cookie' => cookie
@ -190,7 +161,6 @@ class MetasploitModule < Msf::Auxiliary
create_credential_login(login_data)
end
# Brute-force the login page
def do_login(user, pass, group)
vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect} and group:#{group.inspect}")