Modularise the Softing login code

[ide0x90]

No functional change.

This PR modularises some of the code for the Softing Secure Integration Server (SIS) login. I was writing an exploit module for Softing SIS that required authentication, and had to move some of the code in lib/metasploit/framework/login_scanner/softing_sis.rb to their own methods to make it reusable.

[jheysel-r7]

Hey @ide0x90, thanks for the enhancement!

What version of Softing Secure Integration Server were you testing? I noticed the documentation file said you could download 1.22 from the following link

## Vulnerable Application

This module was tested against version 1.22, installed on Windows Server 2019 Standard x64.

*1.22 Download*

https://industrial.softing.com/products/opc-opc-ua-software-platform/integration-platform/secure-integration-server.html

I was able to download and install version 1.30.0.48080 from the above link, although I'm seeing a 404 when then module attempts to hit the URL /runtime/core/user/admin/authentication-token. Have you noticed this??

Module Output with Httptrace Enabled

msf6 auxiliary(scanner/http/softing_sis_login) > run

####################
# Request:
####################
GET /runtime/core/product-version HTTP/1.1
Host: 172.16.199.135:8099
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0


####################
# Response:
####################
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Mon, 22 Apr 2024 15:56:12 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Api-Version: N/A
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self' data:

{
   "version" : "1.30.0.48080"
}

[+] 172.16.199.135:8099 - Softing Secure Integration Server 1.30.0.48080
####################
# Request:
####################
GET /runtime/core/user/admin/authentication-token HTTP/1.1
Host: 172.16.199.135:8099
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0
Cookie: lang=en; user=guest


####################
# Response:
####################
HTTP/1.1 404 Not found
Server: nginx/1.14.0
Date: Mon, 22 Apr 2024 15:56:12 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Api-Version: N/A

{
   "Message" : "URL destination '/runtime/core/user/admin/authentication-token' not found"
}

[-] 172.16.199.135:8099 - Failed: 'admin:notpassword'
[!] No active DB -- Credential data will not be saved!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/softing_sis_login)

[bwatters-r7]

@jheysel-r7 I think this is required by the PR I'm working on: #19084

This makes way more sense now, as I was confused that the PR I'm working on was missing some methods that appear in this PR....

[bwatters-r7]

They changed the login protocol; the original scanner failed on the new version, too. As this is not a regression, I'm going to go ahead and land it, but add an issue: #19142

This PR

msf6 auxiliary(scanner/http/softing_sis_login) > show options

Module options (auxiliary/scanner/http/softing_sis_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   ANONYMOUS_LOGIN   false            yes       Attempt to login with a blank username and password
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, use
                                                r&realm)
   PASSWORD          admin            no        The password to specify for authentication.
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/us
                                                ing-metasploit.html
   RPORT             8099             yes       The target port (TCP)
   SSL               false            no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME          admin            no        The username to specify for authentication.
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
   VHOST                              no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/http/softing_sis_login) > set rhost 10.5.132.111
rhost => 10.5.132.111
msf6 auxiliary(scanner/http/softing_sis_login) > set username admin
username => admin
msf6 auxiliary(scanner/http/softing_sis_login) > set password admin
password => admin
msf6 auxiliary(scanner/http/softing_sis_login) > set verbose true
verbose => true
msf6 auxiliary(scanner/http/softing_sis_login) > run

[+] 10.5.132.111:8099 - Softing Secure Integration Server 1.22.0.8686
[+] 10.5.132.111:8099 - Success: 'admin:admin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf6 auxiliary(scanner/http/softing_sis_login) > set rhost 10.5.132.111
rhost => 10.5.132.111
msf6 auxiliary(scanner/http/softing_sis_login) > set username admin
username => admin
msf6 auxiliary(scanner/http/softing_sis_login) > set password admin
password => admin
msf6 auxiliary(scanner/http/softing_sis_login) > set password v3Mpassword
password => v3Mpassword
msf6 auxiliary(scanner/http/softing_sis_login) > set verbose true
verbose => true
msf6 auxiliary(scanner/http/softing_sis_login) > run

[+] 10.5.132.111:8099 - Softing Secure Integration Server 1.30.0.48080
[-] 10.5.132.111:8099 - Failed: 'admin:v3Mpassword'
[!] No active DB -- Credential data will not be saved!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/softing_sis_login) > 

master

msf6 > use auxiliary/scanner/http/softing_sis_login 
msf6 auxiliary(scanner/http/softing_sis_login) > set rhost 10.5.132.111
rhost => 10.5.132.111
msf6 auxiliary(scanner/http/softing_sis_login) > set username admin
username => admin
msf6 auxiliary(scanner/http/softing_sis_login) > set password admin
password => admin
msf6 auxiliary(scanner/http/softing_sis_login) > set password v3Mpassword
password => v3Mpassword
msf6 auxiliary(scanner/http/softing_sis_login) > set verbose true
verbose => true
msf6 auxiliary(scanner/http/softing_sis_login) > run

[+] 10.5.132.111:8099 - Softing Secure Integration Server 1.30.0.48080
[-] 10.5.132.111:8099 - Failed: 'admin:v3Mpassword'
[!] No active DB -- Credential data will not be saved!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/softing_sis_login) > 

[bwatters-r7]

Release Notes

Update the Softing Secure Integration Server login library to allow the code to be better reused by other modules.