Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Fortinet SSL login scanner Aux Mod #11427

Merged
merged 8 commits into from Mar 7, 2019
Merged

Conversation

@mcmichels
Copy link
Contributor

mcmichels commented Feb 17, 2019

Adding a new scanner to bruteforce the login of Fortinet SSL VPN.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/scanner/http/fortinet_ssl_vpn
  • set username
  • set password
  • set rhost
  • run
mcmichels added 5 commits Feb 14, 2019
@mcmichels mcmichels changed the title Adding Fortinet SSL login scanner Add Fortinet SSL login scanner Aux Mod Feb 17, 2019
@mcmichels

This comment has been minimized.

Copy link
Contributor Author

mcmichels commented Feb 17, 2019

I dont understand the sanity test. i just removed unused lines and now it is failing?! when i execute the module on my computer it is working properly.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Feb 19, 2019

I dont understand the sanity test. i just removed unused lines and now it is failing?! when i execute the module on my computer it is working properly.

The failed sanity test can be safely ignore. The infrastructure goes insane every weekend so as to facilitate later contrast with normality.

@mcmichels

This comment has been minimized.

Copy link
Contributor Author

mcmichels commented Feb 19, 2019

Do i need to write doc before you merge? It is my first pull request and i do not know the workflow exactly.. 🙈

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Feb 19, 2019

Please add module documentation.

mcmichels added 2 commits Feb 19, 2019
@jrobles-r7 jrobles-r7 added docs and removed needs-docs labels Feb 20, 2019
@mcmichels

This comment has been minimized.

Copy link
Contributor Author

mcmichels commented Feb 20, 2019

What are next steps to merge the module? Do I need to do something?

@acammack-r7

This comment has been minimized.

Copy link
Contributor

acammack-r7 commented Feb 20, 2019

@mcmichels This looks good, but it uses the old style of writing login scanners. If you feel up to it, we would prefer you take advantage of the newer tooling we have created for login scanners as shown in this guide: https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module#step-3-start-with-a-loginscanner-template

@mcmichels

This comment has been minimized.

Copy link
Contributor Author

mcmichels commented Feb 20, 2019

If you feel up to it, we would prefer you take advantage of the newer tooling we have created for login scanners

I will try to do it next week as my time this week is limited. Hope i can manage to do it. Otherwise i will commit the week after...

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 5, 2019

Hi @mcmichels Apologies for not being familiar with the product. Is the server hardware or there's something I could download and test? Thank you.

@mcmichels

This comment has been minimized.

Copy link
Contributor Author

mcmichels commented Mar 5, 2019

I use hardware but there is also a vm. But you will need a valid license subscription to start the vm.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 5, 2019

Ok, in that case I won't be able to test. But it's okay, usually in that type of scenario we ask the author for a PCAP to show that the module is in working condition, and then land it. Hopefully it isn't too much trouble, but could you please email us a PCAP to msfdev[at]metasploit.com? In the subject you should just say "PCAP for PR 11427", thank you!

@jhart-r7

This comment has been minimized.

Copy link
Contributor

jhart-r7 commented Mar 5, 2019

As part of that PCAP would it also be possible to see the (presumed) default SSL certificate details and the complete HTTP response to the initial GET /? Would be useful for exposure metrics/etc.

@mcmichels

This comment has been minimized.

Copy link
Contributor Author

mcmichels commented Mar 5, 2019

@jharms what do you mean exactly? Due i am totally new to metasploit and working on my first module the last 2 weeks i am not familiar with your processes.

@jhart-r7

This comment has been minimized.

Copy link
Contributor

jhart-r7 commented Mar 5, 2019

@jharms what do you mean exactly? Due i am totally new to metasploit and working on my first module the last 2 weeks i am not familiar with your processes.

@mcmichels I was curious what the results of your check_conn method looks like when run against an applicable device. It makes an HTTPS request to / and as part of that process an SSL certificate will be provided by the server and upon successful negotiation you'll get an HTTP response. I was curious about the details of that SSL certificate and the HTTP response for potentially improving the check_conn method (by validating status code, body contents, etc) or for other general research efforts outside of metasploit.

I suspect the PCAP that @wchen-r7 requested will have what need, and if it doesn't, no worries! Thank you for your contribution!

@mcmichels

This comment has been minimized.

Copy link
Contributor Author

mcmichels commented Mar 5, 2019

HTTP response

@jhart-r7 This just checks for general responsibility of the system. Not for any specific answer nor ssl certificate. The check that it is a fortigate is made by is_app_ssl_vpn

If you think this is overhead i can remove that check and integrate the timeout check/responsibility into is_app_ssl_vpn

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 5, 2019

@mcmichels It turns out Jon found what he was looking for, so we're good. You don't need to remove the check, that one is good. Just go ahead and email us the PCAP and we should be good to go. Sorry for the confusion!

@mcmichels

This comment has been minimized.

Copy link
Contributor Author

mcmichels commented Mar 5, 2019

@wchen-r7 okay, i will try to produce the pcap tomorrow.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 6, 2019

Thank you!

@wchen-r7 wchen-r7 self-assigned this Mar 6, 2019
@mcmichels

This comment has been minimized.

Copy link
Contributor Author

mcmichels commented Mar 7, 2019

Sorry for the delay... i have just send the pcap to you.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 7, 2019

No problem. Thank you so much for the pcap. I'll start landing it now.

@wchen-r7 wchen-r7 merged commit 6fac0ec into rapid7:master Mar 7, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
wchen-r7 added a commit that referenced this pull request Mar 7, 2019
@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 7, 2019

Release Notes

The scanner/http/fortinet_ssl_vpn auxiliary module has been added to the framework. This module tests credentials on Fortinet SSL VPN servers.

msjenkins-r7 added a commit that referenced this pull request Mar 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.