Land #11035, improve fingerprinting for Cisco ASA VPN scanner
parent
7a4d67d5f6
commit
8ff838b9c7
|
@ -99,64 +99,35 @@ class MetasploitModule < Msf::Auxiliary
|
|||
false
|
||||
end
|
||||
|
||||
def enumerate_vpn_groups
|
||||
res = send_request_cgi(
|
||||
'uri' => '/+CSCOE+/logon.html',
|
||||
'method' => 'GET',
|
||||
)
|
||||
|
||||
if res &&
|
||||
res.code == 302
|
||||
|
||||
res = send_request_cgi(
|
||||
def get_login_resource
|
||||
send_request_cgi(
|
||||
'uri' => '/+CSCOE+/logon.html',
|
||||
'method' => 'GET',
|
||||
'vars_get' => { 'fcadbadd' => "1" }
|
||||
)
|
||||
end
|
||||
|
||||
def enumerate_vpn_groups
|
||||
groups = Set.new
|
||||
group_name_regex = /<select id="group_list" name="group_list" style="z-index:1(?:; float:left;)?" onchange="updateLogonForm\(this\.value,{(.*)}/
|
||||
|
||||
if res &&
|
||||
match = res.body.match(group_name_regex)
|
||||
|
||||
res = get_login_resource
|
||||
if res && match = res.body.match(group_name_regex)
|
||||
group_string = match[1]
|
||||
groups = group_string.scan(/'([\w\-0-9]+)'/).flatten.to_set
|
||||
end
|
||||
|
||||
return groups
|
||||
groups
|
||||
end
|
||||
|
||||
# Verify whether we're working with SSL VPN or not
|
||||
def is_app_ssl_vpn?
|
||||
res = send_request_cgi(
|
||||
'uri' => '/+CSCOE+/logon.html',
|
||||
'method' => 'GET',
|
||||
)
|
||||
|
||||
if res &&
|
||||
res.code == 302
|
||||
|
||||
res = send_request_cgi(
|
||||
'uri' => '/+CSCOE+/logon.html',
|
||||
'method' => 'GET',
|
||||
'vars_get' => { 'fcadbadd' => "1" }
|
||||
)
|
||||
end
|
||||
|
||||
if res &&
|
||||
res.code == 200 &&
|
||||
res.body.match(/webvpnlogin/)
|
||||
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
res = get_login_resource
|
||||
res && res.code == 200 && res.body.match(/webvpnlogin/)
|
||||
end
|
||||
|
||||
def do_logout(cookie)
|
||||
res = send_request_cgi(
|
||||
send_request_cgi(
|
||||
'uri' => '/+webvpn+/webvpn_logout.html',
|
||||
'method' => 'GET',
|
||||
'cookie' => cookie
|
||||
|
@ -190,7 +161,6 @@ class MetasploitModule < Msf::Auxiliary
|
|||
create_credential_login(login_data)
|
||||
end
|
||||
|
||||
|
||||
# Brute-force the login page
|
||||
def do_login(user, pass, group)
|
||||
vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect} and group:#{group.inspect}")
|
||||
|
|
Loading…
Reference in New Issue