From c9e8f9cbea04fd2d5f876cbb5a56fecfe94f76b5 Mon Sep 17 00:00:00 2001 From: Denis Kolegov Date: Fri, 3 Apr 2015 02:30:03 -0400 Subject: [PATCH] Add BigIP HTTP VS scanner and fix connection errors --- .../scanner/http/f5_bigip_http_vs_scanner.rb | 89 +++++++++++++++++++ .../auxiliary/scanner/http/f5_mgmt_scanner.rb | 2 + 2 files changed, 91 insertions(+) create mode 100644 modules/auxiliary/scanner/http/f5_bigip_http_vs_scanner.rb diff --git a/modules/auxiliary/scanner/http/f5_bigip_http_vs_scanner.rb b/modules/auxiliary/scanner/http/f5_bigip_http_vs_scanner.rb new file mode 100644 index 0000000000..fd6edadd61 --- /dev/null +++ b/modules/auxiliary/scanner/http/f5_bigip_http_vs_scanner.rb @@ -0,0 +1,89 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'F5 BigIP HTTP Virtual Server Scanner', + 'Description' => %q{ + This module scans network for BigIP HTTP virtual servers based on simple + banner grabbing technique. BigIP system uses different HTTP profiles for + managing HTTP traffic. In particular, BIG-IP system uses HTTP profile that + specifies the string used as the server agent name in traffic generated by LTM. + The default value is equal to "BigIP" or "BIG-IP" and depends on BigIP system version. + }, + 'Author' => + [ + 'Oleg Broslavsky ', + 'Nikita Oleksov ', + 'Denis Kolegov ', + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'https://www.owasp.org/index.php/SCG_D_BIGIP'], + ] + )) + + register_options( + [ + OptString.new('PORTS', [true, "Ports to scan (e.g. 80-81,443,8080-8090)", "80,443"]), + OptInt.new('TIMEOUT', [true, "The socket connect timeout in milliseconds", 1000]), + ], self.class) + + deregister_options('RPORT','RHOST') + end + + def bigip_http?(ip, port, ssl, verbose = false) + begin + timeout = (datastore['TIMEOUT'] || 1000).to_f / 1000.0 + ::Timeout.timeout(timeout) do + begin + res = send_request_raw('method' => 'GET', 'uri' => '/', 'rport' => port, 'SSL' => ssl) + if res + server = res.headers['Server'] + return true if server =~ /BIG\-IP/ || server =~ /BigIP/ + end + rescue ::Rex::ConnectionRefused + print_status("#{ip}:#{port} - TCP port closed") if verbose + rescue ::Rex::ConnectionError + print_error("#{ip}:#{port} - Connection error") + rescue ::OpenSSL::SSL::SSLError + print_error("#{ip}:#{port} - SSL/TLS connection error") + rescue => e + print_error("#{ip}:#{port} - Connection failed") if verbose + end + end + rescue Timeout::Error + print_error("#{ip}:#{port} - HTTP connection timed out") if verbose + end + return false + end + + def run_host(ip) + verbose = datastore['VERBOSE'] + ports = Rex::Socket.portspec_crack(datastore['PORTS']) + fail Msf::OptionValidateError.new(['PORTS']) if ports.empty? + ports.each do |port| + next if port == 443 + if bigip_http?(ip, port, ssl = false, verbose) + print_status("#{ip}:#{port} - BigIP HTTP virtual server found") + end + end + + ports.each do |port| + next if port == 80 + if bigip_http?(ip, port, ssl = true, verbose) + print_status("#{ip}:#{port} - BigIP HTTP virtual server found") + end + end + + end +end \ No newline at end of file diff --git a/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb b/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb index 049cd13fa4..1a1763f0c3 100644 --- a/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb +++ b/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb @@ -51,6 +51,8 @@ class Metasploit3 < Msf::Auxiliary rescue ::OpenSSL::SSL::SSLError print_error("#{peer} - SSL/TLS connection error") if verbose return false + rescue => e + print_error("#{peer} - Connection failed") if verbose end end rescue Timeout::Error