Explicitly register SSL option as true, add proof logging to pfSense Login

Author: sjanusz-r7

lib/metasploit/framework/login_scanner/pfsense.rb

@@ -35,8 +35,12 @@ def query_csrf_magic
 
           res = send_request(request_params)
 
-          if res.nil? || res.code != 200
-            return { status: :failure, error: 'Unknown response from GET request' }
+          if res.nil?
+            return { status: :failure, error: 'Did not receive response to a GET request' }
+          end
+
+          if res.code != 200
+            return { status: :failure, error: "Unexpected return code from GET request - #{res.code}" }
           end
 
           # CSRF Magic Token and Magic Value are inlined as JavaScript in a <script> tag.
@@ -88,13 +92,13 @@ def attempt_login(credential)
           login_result = try_login(credential.public, credential.private, csrf_magic[:result])
 
           if login_result[:result].nil?
-            result_options.merge!(status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+            result_options.merge!(status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to pfSense')
             return Result.new(result_options)
           end
 
           # 200 is incorrect result
           if login_result[:result].code == 200 || login_result[:result].body.include?('Username or Password incorrect')
-            result_options.merge!(status: ::Metasploit::Model::Login::Status::INCORRECT)
+            result_options.merge!(status: ::Metasploit::Model::Login::Status::INCORRECT, proof: 'Username or Password incorrect')
             return Result.new(result_options)
           end
 
@@ -103,7 +107,7 @@ def attempt_login(credential)
           Result.new(result_options)
 
         rescue ::Rex::ConnectionError => _e
-          result_options.merge!(status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+          result_options.merge!(status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to pfSense')
           return Result.new(result_options)
         end
       end

modules/auxiliary/scanner/http/pfsense_login.rb

@@ -29,6 +29,7 @@ def initialize(info = {})
     register_options(
       [
         Msf::OptString.new('TARGETURI', [true, 'The base path to the pfSense application', '/']),
+        OptBool.new('SSL', [ true, 'Negotiate SSL/TLS for outgoing connections', true ]),
         Opt::RPORT(443),
       ], self.class
     )
@@ -47,7 +48,11 @@ def process_credential(credential_data)
       create_credential_login(credential_data)
       return { status: :success, credential: credential_data }
     else
-      error_msg = "#{credential_data[:address]}:#{credential_data[:port]} - LOGIN FAILED: #{credential_combo} (#{credential_data[:status]})"
+      if credential_data[:proof]
+        error_msg = "#{credential_data[:address]}:#{credential_data[:port]} - LOGIN FAILED: #{credential_combo} (#{credential_data[:status]} : #{credential_data[:proof]})"
+      else
+        error_msg = "#{credential_data[:address]}:#{credential_data[:port]} - LOGIN FAILED: #{credential_combo} (#{credential_data[:status]})"
+      end
       vprint_error error_msg
       invalidate_login(credential_data)
       return { status: :fail, credential: credential_data }