Add module to brute force the Cisco IronPort application #2224
Conversation
This module scans for Cisco Ironport SMA, WSA and ESA web login portals, finds AsyncOS version and performs login brute force to identify valid credentials.
| }) | ||
|
|
||
| if (res) | ||
| cookie = res.headers['Set-Cookie'].split('; ')[0] |
There was a problem hiding this comment.
Thanks for the module. You definitely wanna handle the 'Set-Cookie' key possibly not being there (which would be nil), this occurs when you're firing against the wrong web server, or for some reason a newer/future version of your target doesn't set this. Example:
[-] Auxiliary failed: NoMethodError undefined method `split' for nil:NilClass
[-] Call stack:
[-] /msf/modules/auxiliary/scanner/http/cisco_ironport_enum.rb:67:in `is_app_ironport?'
[-] /msf/modules/auxiliary/scanner/http/cisco_ironport_enum.rb:41:in `run_host'
[-] /msf/lib/msf/core/auxiliary/scanner.rb:94:in `block in run'
[-] /msf/lib/msf/core/thread_manager.rb:100:in `call'
[-] /msf/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[*] Auxiliary module execution completed
There was a problem hiding this comment.
Thanks. Valid point. I've added a new check to ensure 'Set-Cookie' is not null, in the new update.
Added code to check successful conn first, so now if there is no connectivity on target port, script aborts run. New check to ensure 'set-cookie' is set by the app as expected, before any further fingerprinting & b-f starts. If the app is not Ironport, 'set-cookie' will not be set & remains null, and so script aborts run. De-registered 'TARGETURI.' Registered 'username' and 'password' with default value. Changed some run messages. And lastly, changed the csrf key piece cos I miss a cold beer right now.
|
Thanks for the update, @juushya. It looks like we don't have the hardware to verify testing. Could you please send us a pcap? You can e-mail it to msfdev[at]metasploit.com. Thanks. |
|
Hey @wchen-r7 I do not have the key file so pcap will not be readable. I can share the burp capture though. Please let me know if that suffices. |
|
Yes, please. |
| begin | ||
| res = send_request_cgi( | ||
| { | ||
| 'uri' => '/login?CSRFKey=5PADuD3Z-10v3-b33R-5h0t-0n4h3R0cK555', |
There was a problem hiding this comment.
I have some concern over the CSRFKey parameter. You can hardcode this? The burp logs show they're always updated.
Thx.
There was a problem hiding this comment.
I reviewed this part. Actually, auth req is a POST to /login & the key is not going in with submission. This parameter should be removed for now. Will update the code. Thanks.
removed the csrfkey parameter from login uri.
No description provided.