Merge pull request rapid7#20019 from adfoster-r7/improve-support-for-finding-available-http-login-scanners

adfoster-r7 · web-flow · commit 9ef0f7bd6fdc · 2025-04-11T13:39:16.000+01:00
Improve support for finding available HTTP login scanners
diff --git a/lib/metasploit/framework/login_scanner.rb b/lib/metasploit/framework/login_scanner.rb
@@ -34,6 +34,24 @@ def self.classes_for_service(service)
         end
       end
 
+      # Gather a list of LoginScanner classes that can potentially be
+      # used against an HTTP service
+      #
+      # @return [Array<LoginScanner::Base>] A collection of LoginScanner
+      #   classes that will probably give useful results when run
+      #   against an HTTP service
+      def self.all_http_classes
+        require_login_scanners
+
+        http_base_class = Metasploit::Framework::LoginScanner::HTTP
+        Metasploit::Framework::LoginScanner.constants.sort.filter_map do |sym|
+          const = Metasploit::Framework::LoginScanner.const_get(sym)
+          next unless const.kind_of?(Class) && const.ancestors.include?(http_base_class) && const != http_base_class
+
+          const
+        end
+      end
+
       def self.all_service_names
         require_login_scanners
 
@@ -49,9 +67,9 @@ def self.all_service_names
 
         service_names
       end
-      
+
       private
-      
+
       def self.require_login_scanners
         unless @required
           # Make sure we've required all the scanner classes
diff --git a/lib/metasploit/framework/login_scanner/ivanti_login.rb b/lib/metasploit/framework/login_scanner/ivanti_login.rb
@@ -9,8 +9,8 @@ module LoginScanner
       class Ivanti < HTTP
 
         DEFAULT_SSL_PORT = 443
-        LIKELY_PORTS = [443]
-        LIKELY_SERVICE_NAMES = [
+        LIKELY_PORTS =  self.superclass::LIKELY_PORTS + [443]
+        LIKELY_SERVICE_NAMES = self.superclass::LIKELY_SERVICE_NAMES + [
           'Ivanti Connect Secure'
         ]
         PRIVATE_TYPES = [:password]
diff --git a/lib/metasploit/framework/login_scanner/ldap.rb b/lib/metasploit/framework/login_scanner/ldap.rb
@@ -13,6 +13,7 @@ class LDAP
 
         LIKELY_PORTS         = [ 389, 636 ]
         LIKELY_SERVICE_NAMES = [ 'ldap', 'ldaps', 'ldapssl' ]
+        PRIVATE_TYPES = [:password, :ntlm_hash]
 
         attr_accessor :opts, :realm_key
         # @!attribute use_client_as_proof
diff --git a/lib/metasploit/framework/login_scanner/nessus.rb b/lib/metasploit/framework/login_scanner/nessus.rb
@@ -9,7 +9,7 @@ class Nessus < HTTP
 
         DEFAULT_PORT  = 8834
         PRIVATE_TYPES = [ :password ]
-        LIKELY_SERVICE_NAMES = [ 'nessus' ]
+        LIKELY_SERVICE_NAMES = self.superclass::LIKELY_SERVICE_NAMES + [ 'nessus' ]
         LOGIN_STATUS  = Metasploit::Model::Login::Status # Shorter name
 
 
diff --git a/lib/metasploit/framework/login_scanner/sonicwall.rb b/lib/metasploit/framework/login_scanner/sonicwall.rb
@@ -8,9 +8,8 @@ module LoginScanner
       # - Admin Login
       class SonicWall < HTTP
 
-        DEFAULT_SSL_PORT = [443, 4433]
-        LIKELY_PORTS = [443, 4433]
-        LIKELY_SERVICE_NAMES = [
+        LIKELY_PORTS = self.superclass::LIKELY_PORTS + [4433]
+        LIKELY_SERVICE_NAMES = self.superclass::LIKELY_SERVICE_NAMES + [
           'SonicWall Network Security'
         ]
         PRIVATE_TYPES = [:password]
diff --git a/lib/metasploit/framework/login_scanner/teamcity.rb b/lib/metasploit/framework/login_scanner/teamcity.rb
@@ -121,13 +121,11 @@ def encrypt_data(text, public_key)
         include Crypto
 
         DEFAULT_PORT         = 8111
-        LIKELY_PORTS         = [8111]
-        LIKELY_SERVICE_NAMES = [
+        LIKELY_PORTS         = self.superclass::LIKELY_PORTS + [8111]
+        LIKELY_SERVICE_NAMES = self.superclass::LIKELY_SERVICE_NAMES + [
           # Comes from nmap 7.95 on MacOS
           'skynetflow',
-          'teamcity',
-          'http',
-          'https'
+          'teamcity'
         ]
         PRIVATE_TYPES        = [:password]
         REALM_KEY            = nil
diff --git a/spec/lib/metasploit/framework/login_scanner_spec.rb b/spec/lib/metasploit/framework/login_scanner_spec.rb
@@ -6,50 +6,68 @@
 
 RSpec.describe Metasploit::Framework::LoginScanner do
 
-  subject { described_class.classes_for_service(service) }
-  let(:port) { nil }
-  let(:name) { nil }
-
-  let(:service) do
-    s = double('service')
-    allow(s).to receive(:port) { port }
-    allow(s).to receive(:name) { name }
-    s
-  end
+  describe '.classes_for_service' do
+    subject { described_class.classes_for_service(service) }
+    let(:port) { nil }
+    let(:name) { nil }
 
-  context "with name 'smb'" do
-    let(:name) { 'smb' }
+    let(:service) do
+      instance_double(Mdm::Service, port: port, name: name)
+    end
 
-    it { is_expected.to include Metasploit::Framework::LoginScanner::SMB }
-    it { is_expected.not_to include Metasploit::Framework::LoginScanner::HTTP }
-  end
+    context "with name 'smb'" do
+      let(:name) { 'smb' }
 
+      it { is_expected.to include Metasploit::Framework::LoginScanner::SMB }
+      it { is_expected.not_to include Metasploit::Framework::LoginScanner::HTTP }
+    end
 
-  context "with port 445" do
-    let(:port) { 445 }
+    context "with port 445" do
+      let(:port) { 445 }
 
-    it { is_expected.to include Metasploit::Framework::LoginScanner::SMB }
-    it { is_expected.not_to include Metasploit::Framework::LoginScanner::HTTP }
-    it { is_expected.not_to include Metasploit::Framework::LoginScanner::VNC }
-  end
+      it { is_expected.to include Metasploit::Framework::LoginScanner::SMB }
+      it { is_expected.not_to include Metasploit::Framework::LoginScanner::HTTP }
+      it { is_expected.not_to include Metasploit::Framework::LoginScanner::VNC }
+    end
 
+    context "with name 'http'" do
+      let(:name) { 'http' }
 
-  context "with name 'http'" do
-    let(:name) { 'http' }
+      it { is_expected.to include Metasploit::Framework::LoginScanner::HTTP }
+      it { is_expected.not_to include Metasploit::Framework::LoginScanner::SMB }
+      it { is_expected.not_to include Metasploit::Framework::LoginScanner::VNC }
+    end
 
-    it { is_expected.to include Metasploit::Framework::LoginScanner::HTTP }
-    it { is_expected.not_to include Metasploit::Framework::LoginScanner::SMB }
-    it { is_expected.not_to include Metasploit::Framework::LoginScanner::VNC }
+    [ 80, 8080, 8000, 443 ].each do |foo|
+      context "with port #{foo}" do
+        let(:port) { foo }
+
+        it { is_expected.to include Metasploit::Framework::LoginScanner::HTTP }
+        it { is_expected.to include Metasploit::Framework::LoginScanner::Axis2 }
+        it { is_expected.to include Metasploit::Framework::LoginScanner::Tomcat }
+        it { is_expected.not_to include Metasploit::Framework::LoginScanner::SMB }
+      end
+    end
   end
 
-  [ 80, 8080, 8000, 443 ].each do |foo|
-    context "with port #{foo}" do
-      let(:port) { foo }
+  describe '.all_http_classes' do
+    let(:http_classes) { described_class.all_http_classes }
 
-      it { is_expected.to include Metasploit::Framework::LoginScanner::HTTP }
-      it { is_expected.to include Metasploit::Framework::LoginScanner::Axis2 }
-      it { is_expected.to include Metasploit::Framework::LoginScanner::Tomcat }
-      it { is_expected.not_to include Metasploit::Framework::LoginScanner::SMB }
+    it 'returns a populated array' do
+      expect(http_classes).to be_a Array
+      expect(http_classes).to_not be_empty
+    end
+
+    it 'includes HTTP classes' do
+      expect(http_classes).to include Metasploit::Framework::LoginScanner::TeamCity
+      expect(http_classes).to include Metasploit::Framework::LoginScanner::Ivanti
+    end
+
+    it 'does not include non-HTTP classes' do
+      # Base HTTP scanner should not be present
+      expect(http_classes).to_not include Metasploit::Framework::LoginScanner::HTTP
+      expect(http_classes).to_not include Metasploit::Framework::LoginScanner::SMB
+      expect(http_classes).to_not include Metasploit::Framework::LoginScanner::VNC
     end
   end
 
@@ -69,39 +87,33 @@
       expect(service_names).to include 'https'
       expect(service_names).to include 'smb'
     end
-  end
-
-  describe '.classes_for_service' do
-    described_class.all_service_names.each do |service_name|
-      context "with service #{service_name}" do
-        let(:name) { service_name }
-        let(:login_scanners) { described_class.classes_for_service(service) }
-
-        it 'returns at least one class' do
-          expect(login_scanners).to_not be_empty
-        end
-
 
-        MockService = Struct.new(:name, :port)
-
-        described_class.classes_for_service(MockService.new(name: service_name)).each do |login_scanner|
-          context "when the login scanner is #{login_scanner.name}" do
-            it 'is a LoginScanner' do
-              expect(login_scanner).to include Metasploit::Framework::LoginScanner::Base
-            end
-
-            it 'can be initialized with a single argument' do
-              expect {
-                # here we emulate how Pro will initialize the class by passing a single configuration hash argument
-                login_scanner.new({
-                  bruteforce_speed: 5,
-                  host: '192.0.2.1',
-                  port: 1234,
-                  stop_on_success: true
-                })
-              }.to_not raise_error
-            end
+    it 'returns a list of valid services' do
+      all_scanners = service_names.flat_map do |service_name|
+        service = instance_double Mdm::Service, name: service_name, port: nil
+        classes = described_class.classes_for_service(service)
+        expect(classes).to_not be_empty
+        classes
+      end.uniq
+      expect(all_scanners).to_not be_empty
+
+      all_scanners.each do |scanner|
+        # Emulate how Pro will initialize the class by passing a single configuration hash argument
+        options = {
+          bruteforce_speed: 5,
+          host: '192.0.2.1',
+          port: 1234,
+          stop_on_success: true
+        }
+        aggregate_failures "#{scanner} is a valid scanner" do
+          expect(scanner.const_defined?(:PRIVATE_TYPES)).to be(true), "for #{scanner}"
+          expect(scanner.const_defined?(:LIKELY_SERVICE_NAMES)).to be(true), "for #{scanner}"
+          expect(scanner.const_defined?(:LIKELY_PORTS)).to be(true), "for #{scanner}"
+          if scanner.ancestors.include?(Metasploit::Framework::LoginScanner::HTTP) && scanner != Metasploit::Framework::LoginScanner::WinRM
+            expect(scanner::LIKELY_SERVICE_NAMES).to include('http', 'https'), "for #{scanner}"
+            expect(scanner::LIKELY_PORTS).to include(80, 443, 8000, 8080), "for #{scanner}"
           end
+          expect { scanner.new(options) }.to_not raise_error, "for #{scanner}"
         end
       end
     end
